sapplica CVE Vulnerabilities & Metrics

Focus on sapplica vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About sapplica Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with sapplica. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total sapplica CVEs: 18
Earliest CVE date: 28 Aug 2018, 19:29 UTC
Latest CVE date: 21 Mar 2024, 14:15 UTC

Latest CVE reference: CVE-2024-29879

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 10

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 900.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 900.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical sapplica CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.34

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	11
4.0-6.9	6
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS sapplica CVEs

These are the five CVEs with the highest CVSS scores for sapplica, sorted by severity first and recency.

CVE-2018-15873 sapplica Published on 28 Aug 2018, 19:29 UTC (CVSS: 7.5)
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.
CVE-2019-16059 sapplica Published on 06 Sep 2019, 19:15 UTC (CVSS: 6.8)
Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.
CVE-2020-26805 sapplica Published on 12 Nov 2020, 19:15 UTC (CVSS: 6.5)
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.
CVE-2020-26804 sapplica Published on 12 Nov 2020, 19:15 UTC (CVSS: 6.5)
In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.
CVE-2020-26803 sapplica Published on 12 Nov 2020, 19:15 UTC (CVSS: 6.5)
In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

All CVEs for sapplica

CVE-2024-29879 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

CVE-2024-29878 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/sitepreference/add, 'description' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

CVE-2024-29877 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/expenses/expensecategories/edit, 'expense_category_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data.

CVE-2024-29876 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2024-29875 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2024-29874 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2024-29873 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2024-29872 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2024-29871 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2024-29870 sapplica vulnerability CVSS: 0 21 Mar 2024, 14:15 UTC

SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it.

CVE-2023-29770 sapplica vulnerability CVSS: 0 28 Nov 2023, 00:15 UTC

In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.

CVE-2020-28365 sapplica vulnerability CVSS: 4.3 30 Dec 2020, 19:15 UTC

Sentrifugo 3.2 allows Stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login process. When an administrator looks at logs, the payload is executed. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

CVE-2020-26805 sapplica vulnerability CVSS: 6.5 12 Nov 2020, 19:15 UTC

In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.

CVE-2020-26804 sapplica vulnerability CVSS: 6.5 12 Nov 2020, 19:15 UTC

In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

CVE-2020-26803 sapplica vulnerability CVSS: 6.5 12 Nov 2020, 19:15 UTC

In Sentrifugo 3.2, users can upload an image under "Assets -> Add" tab. This "Upload Images" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

CVE-2020-10218 sapplica vulnerability CVSS: 4.0 13 Mar 2020, 17:15 UTC

A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function.

CVE-2019-16059 sapplica vulnerability CVSS: 6.8 06 Sep 2019, 19:15 UTC

Sentrifugo 3.2 lacks CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code at index.php/dashboard/viewprofile via a crafted HTML page.

CVE-2018-15873 sapplica vulnerability CVSS: 7.5 28 Aug 2018, 19:29 UTC

A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.