Insecure Direct Object Reference vulnerability in Yellowfin before 9.6.1 allows unauthorized image enumeration and download

Insecure Direct Object Reference vulnerability in Yellowfin before 9.6.1 allows unauthorized image enumeration and download

CVE-2021-36389 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".

Learn more about our Web Application Penetration Testing UK.