Insecure Password Reset Implementation in MFScripts YetiShare
CVE-2019-19735

9.1CRITICAL

Key Information:

Vendor

Mfscripts

Status
Yetishare
Vendor
CVE Published:
30 December 2019

What is CVE-2019-19735?

The YetiShare file-sharing platform, specifically in versions 3.5.2 through 4.5.3, contains a security flaw due to its insecure method of generating password reset hashes. The implementation relies solely on the microtime function, making it susceptible to brute-force attacks. An attacker can potentially guess the password reset hash and gain unauthorized access by resetting passwords within a few hours, posing a significant risk to user accounts and data security. Continuous monitoring and application of updates are essential to mitigate this vulnerability.

References

https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multi...
x_refsource_MISC
https://github.com/jra89/CVE-2019-19735
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.