CVE-2024-29874

Name of the Vulnerable Software and Affected Versions Sentrifugo version 3.2

Description The issue is related to a SQL injection vulnerability. It affects the /sentrifugo/index.php/default/reports/activeuserrptpdf API endpoint, specifically the sort name parameter. This vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

Recommendations For Sentrifugo version 3.2, consider disabling access to the /sentrifugo/index.php/default/reports/activeuserrptpdf API endpoint until a patch is available. Additionally, restrict the use of the sort name parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.