CVE-2019-19734

Name of the Vulnerable Software and Affected Versions YetiShare version 3.5.2

Description The issue allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database. This is due to the direct insertion of values from the fileIds parameter into a SQL string in the account move file in folder.ajax.php file.

Recommendations For YetiShare version 3.5.2, consider restricting access to the account move file in folder.ajax.php file until a patch is available. As a temporary workaround, avoid using the fileIds parameter in the affected API endpoint until the issue is resolved.