PT-2019-15967 · Mfscripts · Mfscripts Yetishare

Publicado

2019-12-30

Atualizado

2021-07-21

CVE-2019-19806

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions MFScripts YetiShare versions 3.5.2 through 4.5.3

Description The issue allows an attacker to enumerate accounts by guessing email addresses, as the account forgot password.ajax.php file displays a message indicating whether an email address is configured for the provided account name.

Recommendations For versions 3.5.2 through 4.5.3, consider modifying the account forgot password.ajax.php file to not disclose whether an email address is configured for the account name, or restrict access to this file to prevent account enumeration.

Correção

Generation of Error Message Containing Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-209

Identificadores relacionados

CVE-2019-19806

Produtos afetados

Mfscripts Yetishare

PT-2019-15967 · Mfscripts · Mfscripts Yetishare

CVE-2019-19806

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3