Insecure Direct Object Reference vulnerability in Yellowfin before 9.6.1 allows unauthorized image enumeration and download
CVE-2021-36389 · HIGH Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".
Learn more about our Web Application Penetration Testing UK.