CVE-2024-29879
📋 TL;DR
This is a reflected Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2 that allows attackers to inject malicious scripts via the 'business_id' parameter. When exploited, it can steal user session data and potentially compromise accounts. Organizations running Sentrifugo 3.2 with the vulnerable endpoint accessible are affected.
💻 Affected Systems
- Sentrifugo
📦 What is this software?
Sentrifugo by Sapplica
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, session hijacking, data theft, and potential privilege escalation if admin sessions are compromised.
Likely Case
Session theft leading to unauthorized access to user accounts and sensitive HR data within Sentrifugo.
If Mitigated
Limited impact with proper input validation and output encoding preventing script execution.
🎯 Exploit Status
XSS vulnerabilities are commonly weaponized, and this requires minimal technical skill to exploit via crafted URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
Restart Required: No
Instructions:
No official patch available. Monitor vendor channels for updates and apply when released.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization of the business_id parameter to prevent XSS payloads.
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block malicious requests containing XSS patterns targeting the vulnerable endpoint.
🧯 If You Can't Patch
- Restrict access to the vulnerable endpoint using network controls or authentication requirements.
- Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation.
🔍 How to Verify
Check if Vulnerable:
Test the endpoint /sentrifugo/index.php/index/getdepartments/format/html?business_id=<script>alert('XSS')</script> and check if script executes.Check Version:
Check Sentrifugo version in application interface or configuration files.Verify Fix Applied:
After applying workarounds, retest with XSS payloads to ensure they are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /sentrifugo/index.php/index/getdepartments/format/html with suspicious parameters containing script tags or JavaScript code.
Network Indicators:
- Unusual outbound connections from Sentrifugo servers following visits to crafted URLs.
SIEM Query:
source="web_logs" AND uri="/sentrifugo/index.php/index/getdepartments/format/html" AND (param="business_id" AND value CONTAINS "<script>" OR "javascript:")