- Stored Cross-Site Scripting in video embed functionality
- Insecure Direct Object Reference in MIAvatarImage.i4
- Insecure Direct Object Reference in MIImage.i4
Stored Cross-Site Scripting
Yellowfin < 9.6.1
CVE-2021-36387
5.4 (Medium)
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
Update Yellowfin to the latest version available
Michele Di Bonaventura (cyberaz0r)
Insecure Direct Object Reference
Yellowfin < 9.6.1
CVE-2021-36388
7.5 (High)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".
Update Yellowfin to the latest version available
Michele Di Bonaventura (cyberaz0r)
Insecure Direct Object Reference
Yellowfin < 9.6.1
CVE-2021-36389
7.5 (High)
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".
Update Yellowfin to the latest version available
Michele Di Bonaventura (cyberaz0r)