RSS   Vulnerabilities for 'Yellowfin'   RSS

2021-10-14
 
CVE-2021-36387

CWE-79
 

 
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".

 
 
CVE-2021-36388

CWE-639
 

 
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

 
 
CVE-2021-36389

CWE-639
 

 
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".

 


Copyright 2024, cxsecurity.com

 

Back to Top