CRITICAL🇵🇱 Wersja polska

CVE-2019-19735

CVSS 9.1v3.1pub. 2019-12-30upd. 2024-11-21

class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on microtime), which allows an attacker to guess the hash and set the password within a few hours by bruteforcing.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Mfscripts Yetishare

    APP
    Mfscripts
    3.5.2 – 4.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2019-20062CRITICAL9.8ten sam produkt

MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (...

CVE-2019-20061HIGH7.5ten sam produkt

The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password...

CVE-2019-20059HIGH8.8ten sam produkt

payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly inse...

CVE-2019-20060HIGH7.5ten sam produkt

MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, t...

CVE-2019-19734HIGH8.8ten sam produkt

_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds pa...