Platform
php
Component
sentrifugo
Fixed in
3.2.1
CVE-2024-29871 describes a critical SQL injection vulnerability discovered in Sentrifugo versions 3.2. This flaw allows a remote attacker to craft malicious queries and potentially extract sensitive data from the database. The vulnerability is located in the /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber endpoint, specifically within the 'id' parameter. Affected users should immediately upgrade to version 3.2.1 to mitigate this risk.
The SQL injection vulnerability in Sentrifugo 3.2 poses a significant threat to data confidentiality. An attacker exploiting this flaw can bypass security controls and directly manipulate database queries. Successful exploitation could lead to the extraction of all data stored within the database, including user credentials, sensitive configuration information, and potentially personally identifiable information (PII). The impact extends beyond simple data theft; an attacker could also modify or delete data, leading to system instability and operational disruption. While no public exploits are currently known, the critical CVSS score indicates a high likelihood of exploitation if the vulnerability remains unpatched.
CVE-2024-29871 was publicly disclosed on March 21, 2024. It is currently listed on the NVD. The vulnerability's critical CVSS score (9.8) suggests a high probability of exploitation. While no active campaigns or public proof-of-concept exploits have been reported as of this writing, the ease of exploitation associated with SQL injection vulnerabilities means it is likely to become a target for opportunistic attackers. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.78% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-29871 is to immediately upgrade Sentrifugo to version 3.2.1, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization on the 'id' parameter within the vulnerable endpoint can help prevent malicious queries from being executed. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Monitor application logs for suspicious SQL queries or error messages that might indicate an attempted exploitation. After upgrading, confirm the vulnerability is resolved by attempting a test query with a known malicious payload and verifying that it is properly sanitized.
Update Sentrifugo to a version later than 3.2 that fixes the (SQL Injection) vulnerability. If no version is available, it is recommended to apply the necessary security measures to mitigate the risk of (SQL Injection), such as user input validation and sanitization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-29871 is a critical SQL injection vulnerability affecting Sentrifugo version 3.2. It allows attackers to extract data by manipulating database queries through the 'id' parameter.
Yes, if you are running Sentrifugo version 3.2, you are affected by this vulnerability. Upgrade to version 3.2.1 to mitigate the risk.
The recommended fix is to upgrade Sentrifugo to version 3.2.1. Temporary workarounds include input validation and WAF implementation.
While no active campaigns have been confirmed, the critical CVSS score suggests a high likelihood of exploitation if the vulnerability remains unpatched.
Refer to the Sentrifugo project's official website or security advisories for the latest information and updates regarding CVE-2024-29871.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.