Account Enumeration Vulnerability in YetiShare by MFScripts
CVE-2019-19806

5.3MEDIUM

Key Information:

Vendor: Mfscripts
Status: Yetishare
Vendor: CVE Published:; 30 December 2019

What is CVE-2019-19806?

The account enumeration vulnerability affects MFScripts YetiShare versions 3.5.2 to 4.5.3. The issue resides in the _account_forgot_password.ajax.php file, which reveals whether an email address is configured for a provided account name. By exploiting this vulnerability, an attacker can systematically guess valid email addresses, thereby identifying existing accounts. This presents a significant risk, as it could lead to targeted phishing attacks or unauthorized account access.

References

https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multi...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 30, 2019
Vulnerability Reserved
Dec 15, 2019

JSON

Mfscripts

What is CVE-2019-19806?

References

CVSS V3.1

Timeline