CVE-2021-36388

Published: Oct 14, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

Affected (1)

Products: Yellowfinbi: Yellowfin

Yellowfinbi

1 product

Yellowfin

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yellowfinbi Yellowfin	Before 9.6.1

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (10)

http://seclists.org/fulldisclosure/2021/Oct/15

Source: cve@mitre.org

Third Party Advisory

https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities/

Source: cve@mitre.org

https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md

Source: cve@mitre.org

Third Party Advisory

https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6

Source: cve@mitre.org

Release NotesVendor Advisory

http://seclists.org/fulldisclosure/2021/Oct/15