Insecure Password Reset Hash Generation in MFScripts YetiShare

Insecure Password Reset Hash Generation in MFScripts YetiShare

CVE-2019-19735 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on microtime), which allows an attacker to guess the hash and set the password within a few hours by bruteforcing.

Learn more about our User Device Pen Test.