CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36388 – Yellowfin Cross Site Scripting / Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2021-36388
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". En Yellowfin versiones anteriores a 9.6.1, es posible enumerar y descargar las imágenes de perfil de los usuarios mediante una vulnerabilidad de Referencia Directa de Objetos No Seguros explotable mediante el envío de una petición HTTP GET especialmente diseñada a la página "MIIAvatarImage.i4" Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities. • http://seclists.org/fulldisclosure/2021/Oct/15 https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36389 – Yellowfin Cross Site Scripting / Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2021-36389
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". En Yellowfin versiones anteriores a 9.6.1, es posible enumerar y descargar las imágenes cargadas mediante una vulnerabilidad de Referencia Directa de Objetos No Seguros explotable mediante el envío de una petición HTTP GET especialmente diseñada a la página "MIImage.i4" Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities. • http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html http://seclists.org/fulldisclosure/2021/Oct/15 https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36387 – Yellowfin Cross Site Scripting / Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2021-36387
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". En Yellowfin versiones anteriores a 9.6.1, se presenta una vulnerabilidad de tipo Cross-Site Scripting Almacenado en la funcionalidad video embed, explotable mediante una petición HTTP POST especialmente diseñada a la página "ActivityStreamAjax.i4" Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities. • http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html http://seclists.org/fulldisclosure/2021/Oct/15 https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2019-1010147
https://notcve.org/view.php?id=CVE-2019-1010147
Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later. • https://drive.google.com/open?id=1sk5IklziyEggeWpWE4Wyk9xqa30CjNpS • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •