CVE-2024-29872

Name of the Vulnerable Software and Affected Versions Sentrifugo version 3.2

Description The issue is related to a SQL injection vulnerability. It could allow a remote user to send a specially crafted query to the server and extract all the data from it. The vulnerability is exploited through the "/sentrifugo/index.php/empscreening/add" API endpoint, specifically targeting the agencyids parameter.

Recommendations For Sentrifugo version 3.2, as a temporary workaround, consider restricting access to the "/sentrifugo/index.php/empscreening/add" API endpoint to minimize the risk of exploitation. Avoid using the agencyids parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.