CVE-2019-19732

Name of the Vulnerable Software and Affected Versions MFScripts YetiShare versions 3.5.2 through 4.5.3

Description The issue allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database. This is achieved by directly inserting values from the aSortDir 0 and/or sSortDir 0 parameter into a SQL string in files such as translation manage text.ajax.php and various other * manage.ajax.php files.

Recommendations For MFScripts YetiShare versions 3.5.2 through 4.5.3, consider restricting access to the vulnerable translation manage text.ajax.php and other * manage.ajax.php files until a patch is available. As a temporary workaround, avoid using the aSortDir 0 and sSortDir 0 parameters in the affected API endpoints.