106 matches found
Sql injection
paymentmanage.ajax.php and various manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL...
Default credentials
MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash the hash never expires until used...
CVE-2019-20060
The CVE-2019-20060 issue affects MFScripts YetiShare, specifically versions 3.5.2 through 4.5.4. The root cause is that sensitive information is placed in the Referer header, which can be leaked to third parties. This exposure can reveal password-reset hashes, file-delete links, and other sensiti...
CVE-2019-20060
MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may discover password-reset hashes, file-delete links, or other sensitive information...
CVE-2019-20061
The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the system-picked password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password...
CVE-2019-20061
The CVE describes a vulnerability in MFScripts YetiShare (versions 3.5.2–4.5.4) where the user introduction email may disclose the system-generated initial password if sent in cleartext. Root cause: the initial password is not user-chosen, and sending it in plaintext enables leakage. Impact noted...
CVE-2019-20062
MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash the hash never expires until used...
CVE-2019-20062
The CVE-2019-20062 vulnerability affects MFScripts YetiShare versions 3.5.2 through 4.5.4, where an attacker can reset a user password by leveraging a leaked hash that does not expire until used. The available connected documents (Red Hat advisory and NVD listing) confirm the affected product ran...
CVE-2019-20059
CVE-2019-20059 affects MFScripts YetiShare versions 3.5.2 through 4.5.4. The vulnerability arises because payment_manage.ajax.php and various *_manage.ajax.php directly insert values from the sSortDir_0 parameter into a SQL string, enabling SQL injection and potential data extraction. This issue ...
CVE-2019-20059
paymentmanage.ajax.php and various manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL...
MFScripts YetiShare SQL Injection Vulnerability
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A SQL injection vulnerability exists in the translationmanagetext.ajax.php and multiple manage.ajax.php files in Mellow Fish YetiShare versions 3.5.2 through 4.5.3. The vulnerability stems from a lack of...
Unspecified Vulnerability in Mellow Fish YetiShare
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A security vulnerability exists in the accountforgotpassword.ajax.php file in Mellow Fish YetiShare versions 3.5.2 through 4.5.3. An attacker can exploit the vulnerability to enumerate user accounts by guessi...
Mellow Fish YetiShare SQL Injection Vulnerability
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A SQL injection vulnerability exists in the accountmovefileinfolder.ajax.php file in Mellow Fish YetiShare version 3.5.2. The vulnerability stems from a database-based application that lacks validation of...
Mellow Fish YetiShare Cross-Site Scripting Vulnerability
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A security vulnerability exists in Mellow Fish YetiShare versions 3.5.2 through 4.5.3, which stems from the program not setting the HttpOnly flag on session cookies. An attacker can exploit the vulnerability ...
Mellow Fish YetiShare Information Disclosure Vulnerability (CNVD-2020-04700)
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. An information disclosure vulnerability exists in Mellow Fish YetiShare versions 3.5.2 through 4.5.3, which stems from the program failing to set the Secure flag on session cookies, and can be exploited by an...
Mellow Fish YetiShare Information Disclosure Vulnerability
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A security vulnerability exists in the accountforgotpassword.ajax.php file in Mellow Fish YetiShare versions 3.5.2 through 4.5.3. An attacker can exploit the vulnerability to enumerate user accounts by guessi...
Unspecified Vulnerability in Mellow Fish YetiShare (CNVD-2020-00226)
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A security vulnerability exists in the class.userpeer.php file in Mellow Fish YetiShare versions 3.5.2 through 4.5.3, which stems from the program using an insecure method to create a password reset hash. An...
Mellow Fish YetiShare Cross-Site Request Forgery Vulnerability
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A security vulnerability exists in Mellow Fish YetiShare versions 3.5.2 through 4.5.3, which stems from the program not setting the SameSite flag on session cookies. An attacker can exploit this vulnerability...
MFScripts YetiShare Cross-Site Scripting Vulnerability
Mellow Fish YetiShare is a PHP-based file hosting web system script from Mellow Fish UK. A cross-site scripting vulnerability exists in the getallfileserverpaths.ajax.php file in Mellow Fish YetiShare versions 3.5.2 through 4.5.3. The vulnerability stems from a lack of proper validation of...
CVE-2019-19805
accountforgotpassword.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses...