mfscripts CVE Vulnerabilities & Metrics

Focus on mfscripts vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About mfscripts Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with mfscripts. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total mfscripts CVEs: 14
Earliest CVE date: 30 Dec 2019, 17:15 UTC
Latest CVE date: 10 Feb 2020, 13:15 UTC

Latest CVE reference: CVE-2019-20062

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical mfscripts CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.42

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	14
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS mfscripts CVEs

These are the five CVEs with the highest CVSS scores for mfscripts, sorted by severity first and recency.

CVE-2019-20059 mfscripts Published on 10 Feb 2020, 13:15 UTC (CVSS: 6.8)
payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732.
CVE-2019-19737 mfscripts Published on 30 Dec 2019, 17:15 UTC (CVSS: 6.8)
MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks.
CVE-2019-19734 mfscripts Published on 30 Dec 2019, 17:15 UTC (CVSS: 6.5)
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
CVE-2019-19732 mfscripts Published on 30 Dec 2019, 17:15 UTC (CVSS: 6.5)
translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
CVE-2019-19735 mfscripts Published on 30 Dec 2019, 17:15 UTC (CVSS: 6.4)
class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on microtime), which allows an attacker to guess the hash and set the password within a few hours by bruteforcing.

All CVEs for mfscripts

CVE-2019-20062 mfscripts vulnerability CVSS: 5.0 10 Feb 2020, 13:15 UTC

MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to reset a password by using a leaked hash (the hash never expires until used).

CVE-2019-20061 mfscripts vulnerability CVSS: 5.0 10 Feb 2020, 13:15 UTC

The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password.

CVE-2019-20060 mfscripts vulnerability CVSS: 5.0 10 Feb 2020, 13:15 UTC

MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information in the Referer header. If this leaks, then third parties may discover password-reset hashes, file-delete links, or other sensitive information.

CVE-2019-20059 mfscripts vulnerability CVSS: 6.8 10 Feb 2020, 13:15 UTC

payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732.

CVE-2019-19806 mfscripts vulnerability CVSS: 5.0 30 Dec 2019, 18:15 UTC

_account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 displays a message indicating whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses.

CVE-2019-19805 mfscripts vulnerability CVSS: 5.0 30 Dec 2019, 18:15 UTC

_account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses.

CVE-2019-19739 mfscripts vulnerability CVSS: 5.0 30 Dec 2019, 17:15 UTC

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the Secure flag on session cookies, allowing the cookie to be sent over cleartext channels.

CVE-2019-19738 mfscripts vulnerability CVSS: 4.3 30 Dec 2019, 17:15 UTC

log_file_viewer.php in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the lFile parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS.

CVE-2019-19737 mfscripts vulnerability CVSS: 6.8 30 Dec 2019, 17:15 UTC

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks.

CVE-2019-19736 mfscripts vulnerability CVSS: 4.3 30 Dec 2019, 17:15 UTC

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting.

CVE-2019-19735 mfscripts vulnerability CVSS: 6.4 30 Dec 2019, 17:15 UTC

class.userpeer.php in MFScripts YetiShare 3.5.2 through 4.5.3 uses an insecure method of creating password reset hashes (based only on microtime), which allows an attacker to guess the hash and set the password within a few hours by bruteforcing.

CVE-2019-19734 mfscripts vulnerability CVSS: 6.5 30 Dec 2019, 17:15 UTC

_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.

CVE-2019-19733 mfscripts vulnerability CVSS: 4.3 30 Dec 2019, 17:15 UTC

_get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS.

CVE-2019-19732 mfscripts vulnerability CVSS: 6.5 30 Dec 2019, 17:15 UTC

translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.