CVE-2019-15814

MEDIUM

Sentrifugo 3.2 - Authenticated Stored Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-15814. PoCs published by creosote.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Sentrifugo 3.2, allowing a low-privileged user to execute arbitrary JavaScript in the context of an admin user's session. The PoC includes a script that crafts a malicious request to add a new admin user via session riding.

Description

Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow authenticated users to inject arbitrary web script or HTML.

Exploits (1)

exploitdb WORKING POC

by creosote · textwebappsphp

https://www.exploit-db.com/exploits/47324

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Sentrifugo 3.2, allowing a low-privileged user to execute arbitrary JavaScript in the context of an admin user's session. The PoC includes a script that crafts a malicious request to add a new admin user via session riding.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Sentrifugo 3.2

Auth required

Prerequisites: Access to a low-privileged user account · Ability to host a malicious JavaScript file on an attacker-controlled server · Knowledge of target environment specifics (e.g., employee IDs, roles)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/47324

Scores

CVSS v3 5.4

EPSS 0.0158

EPSS Percentile 72.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

sentrifugo/sentrifugo 3.2

Published Sep 04, 2019

Tracked Since Feb 18, 2026