translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
References
Link | Resource |
---|---|
https://github.com/jra89/CVE-2019-19732 | Exploit Third Party Advisory |
https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459 | |
https://github.com/jra89/CVE-2019-19732 | Exploit Third Party Advisory |
https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459 |
Configurations
History
21 Nov 2024, 04:35
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/jra89/CVE-2019-19732 - Exploit, Third Party Advisory | |
References | () https://medium.com/%40jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459 - |
07 Nov 2023, 03:07
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-12-30 17:15
Updated : 2024-11-21 04:35
NVD link : CVE-2019-19732
Mitre link : CVE-2019-19732
CVE.ORG link : CVE-2019-19732
JSON object : View
Products Affected
mfscripts
- yetishare
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')