CVE-2019-19732

translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
mfscriptsyetishare
3.5.2 ≤
𝑥
≤ 4.5.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/jra89/CVE-2019-19732
https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459
https://github.com/jra89/CVE-2019-19732
https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459