106 matches found
CVE-2019-19734
CVE-2019-19734 affects MFScripts YetiShare 3.5.2 where _account_move_file_in_folder.ajax.php directly inserts values from the fileIds parameter into a SQL string, enabling SQL injection. Root cause is lack of proper input validation/parameterization, leading to manipulation of queries and potenti...
CVE-2019-19733
CVE-2019-19733 affects MFScripts YetiShare, version range 3.5.2 through 4.5.3. The vulnerability lies in the file get_all_file_server_paths.ajax.php where output derived from the client-supplied fileIds parameter is not sanitized/encoded, enabling an attacker to inject HTML or script code on the ...
CVE-2019-19732
translationmanagetext.ajax.php and various manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir0 and/or sSortDir0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from th...
CVE-2019-19732
The CVE-2019-19732 entry affects MFScripts YetiShare versions 3.5.2 through 4.5.3 (and related revisions noted in connected records). The underlying issue is direct insertion of values from the aSortDir_0 and/or sSortDir_0 parameters into a SQL string in translation_manage_text.ajax.php and multi...
CVE-2019-19739
CVE-2019-19739 affects MFScripts YetiShare versions 3.5.2 through 4.5.3. The root cause is that session cookies are created without the Secure flag, allowing them to be transmitted over cleartext channels. Impact: cookies may be exposed via insecure transport, as reflected in CVSS metrics (CVSS v...
CVE-2019-19739
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext channels...