PT-2026-4515 · Unknown · Yetishare File Hosting Script
Numan Türle
·
Published
2026-01-23
·
Updated
2026-01-24
·
CVE-2021-47899
CVSS v3.1
4.0
Medium
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
YetiShare File Hosting Script version 5.1.0
Description
The software contains a server-side request forgery condition that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the
url parameter in the /url upload handler API endpoint to access sensitive files, such as /etc/passwd, by using the file:/// protocol.Recommendations
Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the
/url upload handler API endpoint. Avoid using the url parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yetishare File Hosting Script