CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19586
https://notcve.org/view.php?id=CVE-2020-19586
Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI. Un problema de Control de Acceso Incorrecto en Yellowfin Business Intelligence versión 7.3, permite a atacantes remotos escalar privilegios por medio de la Interfaz de Usuario de Administración MIAdminStyles.i4 • https://github.com/Deepak983/CVE-2020-19586/blob/main/Stored%20XSS%20in%20MIAdminStyles.i4%20through%20privileges%20escalation.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36388 – Yellowfin Cross Site Scripting / Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2021-36388
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". En Yellowfin versiones anteriores a 9.6.1, es posible enumerar y descargar las imágenes de perfil de los usuarios mediante una vulnerabilidad de Referencia Directa de Objetos No Seguros explotable mediante el envío de una petición HTTP GET especialmente diseñada a la página "MIIAvatarImage.i4" Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities. • http://seclists.org/fulldisclosure/2021/Oct/15 https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36389 – Yellowfin Cross Site Scripting / Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2021-36389
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". En Yellowfin versiones anteriores a 9.6.1, es posible enumerar y descargar las imágenes cargadas mediante una vulnerabilidad de Referencia Directa de Objetos No Seguros explotable mediante el envío de una petición HTTP GET especialmente diseñada a la página "MIImage.i4" Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities. • http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html http://seclists.org/fulldisclosure/2021/Oct/15 https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36387 – Yellowfin Cross Site Scripting / Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2021-36387
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". En Yellowfin versiones anteriores a 9.6.1, se presenta una vulnerabilidad de tipo Cross-Site Scripting Almacenado en la funcionalidad video embed, explotable mediante una petición HTTP POST especialmente diseñada a la página "ActivityStreamAjax.i4" Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities. • http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html http://seclists.org/fulldisclosure/2021/Oct/15 https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2019-1010147
https://notcve.org/view.php?id=CVE-2019-1010147
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later. • https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •