Description
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".
References
http://seclists.org/fulldisclosure/2021/Oct/15
Third Party Advisory
Third Party AdvisoryVDB Entry
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 · High
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2021-10-14T19:15:09.223
3 years agoLast modified
2024-05-14T20:15:12.353
1 year ago