8 matches found
EUVD-2019-9334
Malware in sbrugna...
EUVD-2019-9335
Malware in sbrugna...
CVE-2019-19734
accountmovefileinfolder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection...
CVE-2019-19733
getallfileserverpaths.ajax.php aka getallfileserverpaths.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS...
CVE-2015-9292
6kbbs 7.1 and 8.0 allows CSRF via portalchannelajax.php id or code parameter or admin.php fileids parameter...
CVE-2019-19733
getallfileserverpaths.ajax.php aka getallfileserverpaths.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS...
Design/Logic Flaw
getallfileserverpaths.ajax.php aka getallfileserverpaths.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS...
Sql injection
accountmovefileinfolder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection...