Design/Logic Flaw

2019-12-3017:15:00

PRIOn knowledge base

www.prio-n.com

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.8%

JSON

_get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS.

CPENameOperatorVersion
yetisharege3.5.2
yetisharele4.5.3

CPE	Name	Operator	Version
	yetishare	ge	3.5.2
	yetishare	le	4.5.3

References

github.com/jra89/CVE-2019-19733

medium.com/@jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459