CVE-2019-19734
HIGH WAF: High
CVSS 8.8
Published: 2019-12-30
CWE-89
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| mfscripts | yetishare | up to 3.5.2 |
References
- github.com (Exploit, Third Party Advisory)
- medium.com