CVE-2021-47899

Name of the Vulnerable Software and Affected Versions YetiShare File Hosting Script version 5.1.0

Description The software contains a server-side request forgery condition that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the /url upload handler API endpoint to access sensitive files, such as /etc/passwd, by using the file:/// protocol.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /url upload handler API endpoint. Avoid using the url parameter in the affected API endpoint until the issue is resolved.