Platform
php
Component
sentrifugo
Fixed in
3.2.1
CVE-2024-29875 describes a critical SQL injection vulnerability affecting Sentrifugo versions 3.2 through 3.2. An attacker can exploit this flaw by crafting malicious queries through the /sentrifugo/index.php/default/reports/exportactiveuserrpt endpoint, potentially leading to unauthorized data extraction. The vulnerability was published on March 21, 2024, and a patch is available in version 3.2.1.
This SQL injection vulnerability allows a remote attacker to inject arbitrary SQL code into the sort_name parameter of the /sentrifugo/index.php/default/reports/exportactiveuserrpt endpoint. Successful exploitation could enable the attacker to bypass security measures and directly query the underlying database. The attacker could extract sensitive data, including user credentials, configuration details, and potentially even system files, depending on the database permissions. This represents a significant data breach risk and could lead to further compromise of the system. The potential impact is substantial, as the attacker gains direct access to the database, bypassing standard application security layers.
CVE-2024-29875 is a high-severity vulnerability with a CVSS score of 9.8. Public proof-of-concept exploits are likely to emerge given the ease of exploitation of SQL injection vulnerabilities. As of the publication date, there is no indication of active exploitation campaigns, but the vulnerability's criticality warrants immediate attention. This vulnerability was disclosed on March 21, 2024.
Exploit Status
EPSS
0.78% (74% percentile)
CVSS Vector
The primary mitigation for CVE-2024-29875 is to immediately upgrade Sentrifugo to version 3.2.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and sanitization on the sort_name parameter. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can also provide a layer of defense. Monitor access logs for suspicious SQL queries targeting the /sentrifugo/index.php/default/reports/exportactiveuserrpt endpoint. After upgrading, confirm the vulnerability is resolved by attempting a test query with a known malicious payload and verifying that it is properly sanitized.
Update to a patched version of Sentrifugo that addresses the SQL Injection (SQL Injection) vulnerability. If a patched version is not available, consider disabling or removing the vulnerable component until a fix is released. Consult the vendor's website for updates and security patches.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-29875 is a critical SQL injection vulnerability in Sentrifugo versions 3.2 through 3.2, allowing attackers to extract data via the /sentrifugo/index.php/default/reports/exportactiveuserrpt endpoint.
Yes, if you are running Sentrifugo version 3.2, you are vulnerable to this SQL injection flaw. Upgrade to 3.2.1 immediately.
The recommended fix is to upgrade to Sentrifugo version 3.2.1 or later. Temporary workarounds include input validation and WAF rules.
While there is no confirmed active exploitation at this time, the vulnerability's criticality makes it a likely target for attackers.
Refer to the Sentrifugo project's official website or security advisories for the latest information and updates regarding CVE-2024-29875.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.