CVE-2019-19736

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting...

CVE-2019-19736

CVE-2019-19736 concerns MFScripts YetiShare 3.5.2–4.5.3 where session cookies lack the HttpOnly flag, enabling potential script access and cookie theft via cross-site scripting. Affected component: server-side session handling in YetiShare; root cause: absence of HttpOnly on cookies. Impact: risk...

CVE-2019-19735

class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes based only on microtime, which allows an attacker to guess the hash and set the password within a few hours by bruteforcing...

CVE-2019-19734

accountmovefileinfolder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection...

CVE-2019-19734

CVE-2019-19734 affects MFScripts YetiShare 3.5.2 where _account_move_file_in_folder.ajax.php directly inserts values from the fileIds parameter into a SQL string, enabling SQL injection. Root cause is lack of proper input validation/parameterization, leading to manipulation of queries and potenti...

CVE-2019-19733

CVE-2019-19733 affects MFScripts YetiShare, version range 3.5.2 through 4.5.3. The vulnerability lies in the file get_all_file_server_paths.ajax.php where output derived from the client-supplied fileIds parameter is not sanitized/encoded, enabling an attacker to inject HTML or script code on the ...

CVE-2019-19732

The CVE-2019-19732 entry affects MFScripts YetiShare versions 3.5.2 through 4.5.3 (and related revisions noted in connected records). The underlying issue is direct insertion of values from the aSortDir_0 and/or sSortDir_0 parameters into a SQL string in translation_manage_text.ajax.php and multi...

CVE-2019-19732

translationmanagetext.ajax.php and various manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir0 and/or sSortDir0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from th...

CVE-2019-19739

CVE-2019-19739 affects MFScripts YetiShare versions 3.5.2 through 4.5.3. The root cause is that session cookies are created without the Secure flag, allowing them to be transmitted over cleartext channels. Impact: cookies may be exposed via insecure transport, as reflected in CVSS metrics (CVSS v...

CVE-2019-19739

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext channels...