CVE-2024-29875

Name of the Vulnerable Software and Affected Versions Sentrifugo version 3.2

Description A SQL injection vulnerability exists in Sentrifugo, allowing a remote user to send a specially crafted query to the server and extract all the data from it. This issue is related to the "/sentrifugo/index.php/default/reports/exportactiveuserrpt" API endpoint, specifically the sort name parameter.

Recommendations For Sentrifugo version 3.2, as a temporary workaround, consider restricting access to the "/sentrifugo/index.php/default/reports/exportactiveuserrpt" API endpoint to minimize the risk of exploitation. Avoid using the sort name parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.