Insecure Direct Object Reference vulnerability allows unauthorized access to user profile pictures in Yellowfin before 9.6.1

Insecure Direct Object Reference vulnerability allows unauthorized access to user profile pictures in Yellowfin before 9.6.1

CVE-2021-36388 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

Learn more about our User Device Pen Test.