exploitDog

CVE-2019-19734

Опубликовано: 30 дек. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.

Ссылки

https://github.com/jra89/CVE-2019-19734
Exploit
Third Party Advisory
https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459
https://github.com/jra89/CVE-2019-19734
Exploit
Third Party Advisory
https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mfscripts:yetishare:*:*:*:*:*:*:*:*

Версия до 3.5.2 (включая)

EPSS

Процентиль: 53%

0.003

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-frf6-3pgf-73mh

CVSS3: 8.8

github

больше 3 лет назад

_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.

EPSS

Процентиль: 53%

0.003

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89