Vulnerabilities (CVE)

Filtered by vendor Yellowfinbi Subscribe
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-36389 1 Yellowfinbi 1 Yellowfin 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".
CVE-2021-36388 1 Yellowfinbi 1 Yellowfin 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".
CVE-2021-36387 1 Yellowfinbi 1 Yellowfin 2024-11-21 3.5 LOW 5.4 MEDIUM
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
CVE-2020-19586 1 Yellowfinbi 1 Business Intelligence 2024-11-21 N/A 9.0 CRITICAL
Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI.
CVE-2019-1010147 2 Bmc, Yellowfinbi 2 Remedy Smart Reporting, Yellowfin Bi 2024-11-21 3.5 LOW 5.4 MEDIUM
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later.