A vulnerability classified as problematic has been found in MFScripts YetiShare up to 3.5.2. This affects an unknown code block of the component Session Cookie Handler. The manipulation with an unknown input leads to a permission assignment vulnerability (httponly). CWE is classifying the issue as CWE-732. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. This is going to have an impact on confidentiality, and integrity. The summary by CVE is:

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting.

The weakness was published 12/30/2019. This vulnerability is uniquely identified as CVE-2019-19736 since 12/11/2019. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entries are available at VDB-147919, VDB-147918, VDB-147917 and VDB-147916. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• MFScripts

Name

• YetiShare

Version

• 3.5.0
• 3.5.1
• 3.5.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion