CVE-2021-36387: Stored Cross-Site Scripting
Affected Products and Versions: Yellowfin < 9.6.1
CVSSv3.1 Score: 5.4 (Medium)
CVSSv3.1 Attack Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Discoverer: Michele ‘cyberaz0r’ Di Bonaventura
Executive Summary
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page “ActivityStreamAjax.i4”.
Remediation
Update Yellowfin to version 9.6.1 or later.
Reference
CVE-2021-36388: Insecure Direct Object Reference
Vulnerability
Affected Products and Versions: Yellowfin < 9.6.1
CVSSv3.1 Score: 7.5 (High)
CVSSv3.1 Attack Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Discoverer: Michele ‘cyberaz0r’ Di Bonaventura
Executive Summary
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page “MIIAvatarImage.i4”.
Remediation
Update Yellowfin to version 9.6.1 or later.
Reference
CVE-2021-36389: Insecure Direct Object Reference
Affected Products and Versions: Yellowfin < 9.6.1
CVSSv3.1 Score: 7.5 (High)
CVSSv3.1 Attack Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Discoverer: Michele ‘cyberaz0r’ Di Bonaventura
Executive Summary
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page “MIImage.i4”.
Remediation
Update Yellowfin to version 9.6.1 or later.