FKIE_CVE-2019-19738

Vulnerability from fkie_nvd - Published: 2019-12-30 17:15 - Updated: 2024-11-21 04:35
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS.
References
cve@mitre.orghttps://github.com/jra89/CVE-2019-19738Exploit, Third Party Advisory
cve@mitre.orghttps://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459
af854a3a-2127-422b-91ae-364da2661108https://github.com/jra89/CVE-2019-19738Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459
Impacted products
Vendor Product Version
mfscripts yetishare *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mfscripts:yetishare:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF024839-B099-4E99-B1E4-1B15A7F67DDD",
              "versionEndIncluding": "4.5.3",
              "versionStartIncluding": "3.5.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS."
    },
    {
      "lang": "es",
      "value": "El archivo log_file_viewer.php en MFScripts YetiShare versiones 3.5.2 hasta la versi\u00f3n  4.5.3, no sanea ni codifica la salida del par\u00e1metro lFile en la p\u00e1gina, lo que permitir\u00eda a un atacante ingresar HTML o ejecutar scripts sobre el sitio, tambi\u00e9n se conoce como un XSS."
    }
  ],
  "id": "CVE-2019-19738",
  "lastModified": "2024-11-21T04:35:17.307",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-12-30T17:15:20.420",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/jra89/CVE-2019-19738"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/jra89/CVE-2019-19738"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.