Yellowfin Cross Site Scripting / Insecure Direct Object Reference

2021.10.14
Credit: Michele Di Bonaventura
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2021-36387 | CVE-2021-36388 | CVE-2021-36389
CWE: CWE-79

YELLOWFIN < 9.6.1 MULTIPLE VULNERABILITIES ---------------------------------------------------- Vulnerability: ============== Stored Cross-Site Scripting Affected Products and Versions: =============================== Yellowfin < 9.6.1 CVEID: ====== CVE-2021-36387 CVSSv3.1 Score: =============== 5.4 (Medium) CVSSv3.1 Attack Vector: ======================= AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Short Description: ================== In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". Remediation: ============ Update Yellowfin to the latest version available Discoverer: =========== Michele Di Bonaventura (cyberaz0r) Reference: ========== https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 ---------------------------------------------------- Vulnerability: ============== Insecure Direct Object Reference Affected Products and Versions: =============================== Yellowfin < 9.6.1 CVEID: ====== CVE-2021-36388 CVSSv3.1 Score: =============== 7.5 (High) CVSSv3.1 Attack Vector: ======================= AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Short Description: ================== In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". Remediation: ============ Update Yellowfin to the latest version available Discoverer: =========== Michele Di Bonaventura (cyberaz0r) Reference: ========== https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 ---------------------------------------------------- Vulnerability: ============== Insecure Direct Object Reference Affected Products and Versions: =============================== Yellowfin < 9.6.1 CVEID: ====== CVE-2021-36389 CVSSv3.1 Score: =============== 7.5 (High) CVSSv3.1 Attack Vector: ======================= AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Short Description: ================== In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". Remediation: ============ Update Yellowfin to the latest version available Discoverer: =========== Michele Di Bonaventura (cyberaz0r) Reference: ========== https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 ----------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top