Mfscripts: >> Yetishare >> 3.11 Security Vulnerabilities
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext channels.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-12-30
translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
CVSS Score
7.2
EPSS Score
0.003
Published
2019-12-30
_get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-12-30
Page 2