CVE-2020-26804

Published: Nov 12, 2020Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In Sentrifugo 3.2, users can share an announcement under "Organization -> Announcements" tab. Also, in this page, users can upload attachments with the shared announcements. This "Upload Attachment" functionality is suffered from "Unrestricted File Upload" vulnerability so attacker can upload malicious files using this functionality and control the server.

Affected (1)

Products: Sapplica: Sentrifugo

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sapplica Sentrifugo	Version 3.2

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.