Every CVE whose affected-product data names Mfscripts Yetishare, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2019-20062 — CVSS 9.8 (critical): MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until…
CVE-2019-19735 — CVSS 9.1 (critical): class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on…
CVE-2019-19737 — CVSS 8.8 (high): MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site…
CVE-2019-19734 — CVSS 8.8 (high): _account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string…
CVE-2019-20059 — CVSS 8.8 (high): payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0…
CVE-2019-19739 — CVSS 7.5 (high): MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext…
CVE-2019-20060 — CVSS 7.5 (high): MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may…
CVE-2019-20061 — CVSS 7.5 (high): The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in…
CVE-2019-19732 — CVSS 7.2 (high): translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the…
CVE-2019-19736 — CVSS 6.1 (medium): MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which…
CVE-2019-19733 — CVSS 6.1 (medium): _get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize…
CVE-2019-19738 — CVSS 6.1 (medium): log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page…
CVE-2019-19805 — CVSS 5.3 (medium): _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on…
CVE-2019-19806 — CVSS 5.3 (medium): _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 displays a message indicating whether an email address is…