CVE-2020-26805 Information

Description

In Sentrifugo 3.2 admin can edit employee’s informations via this endpoint – /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request \employeeNumId\ parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query read data from database or write data into the database.

Reference

https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-sqli.html