CVE-2019-20061

The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the system-picked password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password...

Mellow Fish YetiShare Cross-Site Scripting Vulnerability (CNVD-2020-00223)

Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A cross-site scripting vulnerability exists in the logfileviewer.php file in Mellow Fish YetiShare versions 3.5.2 through 4.5.3. The vulnerability stems from a lack of proper validation of client-side data by...

CVE-2019-19734

accountmovefileinfolder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection...

CVE-2019-19732

translationmanagetext.ajax.php and various manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir0 and/or sSortDir0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from th...