CVE-2019-19736 Information

Description

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies allowing the cookie to be read by script which can potentially be used by attackers to obtain the cookie via cross-site scripting.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://medium.com/@jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1