Account Enumeration Vulnerability in MFScripts YetiShare Product
CVE-2019-19805

5.3MEDIUM

Key Information:

Vendor: Mfscripts
Status: Yetishare
Vendor: CVE Published:; 30 December 2019

What is CVE-2019-19805?

The MFScripts YetiShare platform versions 3.5.2 through 4.5.3 is vulnerable to an account enumeration flaw. The file _account_forgot_password.ajax.php processes requests in a manner that varies its response time based on the existence of a configured email address, allowing attackers to deduce valid account names by probing with different email addresses. This discrepancy poses a significant risk, as it can be exploited to gain unauthorized insights into user accounts.

References

https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multi...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 30, 2019
Vulnerability Reserved
Dec 15, 2019

JSON

Mfscripts

What is CVE-2019-19805?

References

CVSS V3.1

Timeline