Description
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html
Scores
CVSS v3
8.8
EPSS
0.0042
EPSS Percentile
62.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
sapplica/sentrifugo
3.2
Published
Nov 12, 2020
Tracked Since
Feb 18, 2026