CVE-2019-19805

Name of the Vulnerable Software and Affected Versions MFScripts YetiShare versions 3.5.2 through 4.5.3

Description The issue allows an attacker to enumerate accounts by guessing email addresses due to a timing difference in the response of the account forgot password.ajax.php file. This timing difference occurs based on whether an email address is configured for the provided account name.

Recommendations For versions 3.5.2 through 4.5.3, consider implementing a constant response time for the account forgot password.ajax.php file to prevent attackers from exploiting the timing difference to enumerate accounts. Additionally, restrict access to this file or implement rate limiting to minimize the risk of exploitation.