Yetishare Security Vulnerabilities and Issues — Yetishare CVE List

MfscriptsYetishare

14 matches found

CVE•added 2020/02/10 12:17 p.m.•70 views

CVE-2019-20062

The CVE-2019-20062 vulnerability affects MFScripts YetiShare versions 3.5.2 through 4.5.4, where an attacker can reset a user password by leveraging a leaked hash that does not expire until used. The available connected documents (Red Hat advisory and NVD listing) confirm the affected product ran...

9.8CVSS9.3AI score0.00373EPSS

CVE•added 2019/12/30 4:59 p.m.•57 views

CVE-2019-19734

CVE-2019-19734 affects MFScripts YetiShare 3.5.2 where _account_move_file_in_folder.ajax.php directly inserts values from the fileIds parameter into a SQL string, enabling SQL injection. Root cause is lack of proper input validation/parameterization, leading to manipulation of queries and potenti...

8.8CVSS8.7AI score0.00285EPSS

CVE•added 2019/12/30 5:7 p.m.•56 views

CVE-2019-19806

The CVE-2019-19806 issue affects MFScripts YetiShare versions 3.5.2 through 4.5.3, where _account_forgot_password.ajax.php reveals whether an email address is configured for a given account name. This enables attacker-driven account enumeration via guessing email addresses. The connected document...

5.3CVSS5.2AI score0.00358EPSS

CVE•added 2019/12/30 4:59 p.m.•54 views

CVE-2019-19732

The CVE-2019-19732 entry affects MFScripts YetiShare versions 3.5.2 through 4.5.3 (and related revisions noted in connected records). The underlying issue is direct insertion of values from the aSortDir_0 and/or sSortDir_0 parameters into a SQL string in translation_manage_text.ajax.php and multi...

7.2CVSS7.3AI score0.00303EPSS

CVE•added 2019/12/30 5:0 p.m.•53 views

CVE-2019-19738

The CVE-2019-19738 entry applies to Mellow Fish YetiShare (MFScripts) 3.5.2 through 4.5.3. The root cause is that log_file_viewer.php does not sanitize or encode the output from the lFile parameter, allowing an attacker to inject HTML or scripts (XSS) on the page. The connected Red Hat and CNVD r...

6.1CVSS6.2AI score0.00328EPSS

CVE•added 2019/12/30 5:0 p.m.•51 views

CVE-2019-19735

The CVE-2019-19735 issue affects Mellow Fish YetiShare (MFScripts YetiShare) versions 3.5.2–4.5.3, specifically in class.userpeer.php. The root cause is an insecure method for generating password reset hashes based solely on microtime, enabling an attacker to brute-force the hash and set a passwo...

9.1CVSS9.2AI score0.00168EPSS

CVE•added 2019/12/30 5:0 p.m.•51 views

CVE-2019-19736

CVE-2019-19736 concerns MFScripts YetiShare 3.5.2–4.5.3 where session cookies lack the HttpOnly flag, enabling potential script access and cookie theft via cross-site scripting. Affected component: server-side session handling in YetiShare; root cause: absence of HttpOnly on cookies. Impact: risk...

6.1CVSS5.9AI score0.00275EPSS

CVE•added 2020/02/10 12:13 p.m.•51 views

CVE-2019-20059

CVE-2019-20059 affects MFScripts YetiShare versions 3.5.2 through 4.5.4. The vulnerability arises because payment_manage.ajax.php and various *_manage.ajax.php directly insert values from the sSortDir_0 parameter into a SQL string, enabling SQL injection and potential data extraction. This issue ...

8.8CVSS7.3AI score0.0146EPSS

CVE•added 2020/02/10 12:19 p.m.•51 views

CVE-2019-20061

The CVE describes a vulnerability in MFScripts YetiShare (versions 3.5.2–4.5.4) where the user introduction email may disclose the system-generated initial password if sent in cleartext. Root cause: the initial password is not user-chosen, and sending it in plaintext enables leakage. Impact noted...

7.5CVSS7.5AI score0.00213EPSS

CVE•added 2019/12/30 4:59 p.m.•50 views

CVE-2019-19733

CVE-2019-19733 affects MFScripts YetiShare, version range 3.5.2 through 4.5.3. The vulnerability lies in the file get_all_file_server_paths.ajax.php where output derived from the client-supplied fileIds parameter is not sanitized/encoded, enabling an attacker to inject HTML or script code on the ...

6.1CVSS6.2AI score0.00328EPSS

CVE•added 2019/12/30 5:5 p.m.•50 views

CVE-2019-19805

Affected software: MFScripts YetiShare, versions 3.5.2 through 4.5.3. The vulnerability stems from a timing discrepancy in _account_forgot_password.ajax.php that reveals whether an email address is configured for a given account name, enabling an attacker to enumerate valid accounts by guessing e...

5.3CVSS5.2AI score0.00358EPSS

CVE•added 2020/02/10 12:20 p.m.•48 views

CVE-2019-20060

The CVE-2019-20060 issue affects MFScripts YetiShare, specifically versions 3.5.2 through 4.5.4. The root cause is that sensitive information is placed in the Referer header, which can be leaked to third parties. This exposure can reveal password-reset hashes, file-delete links, and other sensiti...

7.5CVSS7.4AI score0.00468EPSS

CVE•added 2019/12/30 5:0 p.m.•46 views

CVE-2019-19737

CVE-2019-19737 affects MFScripts YetiShare in versions 3.5.2 through 4.5.3. The root cause is that session cookies do not have the SameSite flag set, allowing cookies to be sent with cross-site requests and potentially enabling cross-site request forgery attacks. Multiple connected sources confir...

8.8CVSS8.5AI score0.00177EPSS

CVE•added 2019/12/30 4:46 p.m.•45 views

CVE-2019-19739

CVE-2019-19739 affects MFScripts YetiShare versions 3.5.2 through 4.5.3. The root cause is that session cookies are created without the Secure flag, allowing them to be transmitted over cleartext channels. Impact: cookies may be exposed via insecure transport, as reflected in CVSS metrics (CVSS v...

7.5CVSS7.4AI score0.00183EPSS