Login Sign Up

CVE-2019-19735

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in YetiShare allows attackers to guess password reset tokens by brute-forcing predictable hashes based on microtime. Attackers can reset any user's password and gain unauthorized access. All YetiShare installations running affected versions are vulnerable.

💻 Affected Systems

Products:
  • MFScripts YetiShare
Versions: 3.5.2 through 4.5.3
Operating Systems: Any OS running YetiShare
Default Config Vulnerable: ⚠️ Yes
Notes: All installations within the version range are vulnerable regardless of configuration.

📦 What is this software?

Yetishare by Mfscripts

View all CVEs affecting Yetishare →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and full system compromise.

🟠

Likely Case

Unauthorized access to user accounts, potential data exfiltration, and lateral movement within the application.

🟢

If Mitigated

Limited impact with proper monitoring and rate limiting, but still a serious authentication bypass vulnerability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit scripts are publicly available on GitHub. Attack requires no authentication and can be automated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.4 and later

Vendor Advisory: https://mfscripts.com/

Restart Required: No

Instructions:

1. Backup your YetiShare installation and database. 2. Download the latest version from the official vendor. 3. Replace the vulnerable class.userpeer.php file with the patched version. 4. Verify the fix by testing password reset functionality.

🔧 Temporary Workarounds

Disable Password Reset

all

Temporarily disable password reset functionality to prevent exploitation.

# Modify YetiShare configuration to disable password reset feature

Implement Rate Limiting

all

Add rate limiting to password reset requests to make brute-force attacks impractical.

# Configure web server or application firewall to limit requests to /account/reset_password

🧯 If You Can't Patch

  • Implement strong network segmentation to isolate the vulnerable system
  • Enable detailed logging and monitoring for password reset attempts

🔍 How to Verify

Check if Vulnerable:

Check the version of YetiShare installed. If between 3.5.2 and 4.5.3 inclusive, the system is vulnerable.

Check Version:

grep -r 'version' /path/to/yetishare/config/ or check admin panel

Verify Fix Applied:

Verify that class.userpeer.php has been updated to version 4.5.4 or later. Test password reset functionality to ensure it uses cryptographically secure tokens.

📡 Detection & Monitoring

Log Indicators:

  • Unusual volume of password reset requests
  • Multiple failed password reset attempts from single IP
  • Successful password resets for accounts that didn't request them

Network Indicators:

  • HTTP POST requests to /account/reset_password with predictable token patterns
  • Brute-force patterns in request timing

SIEM Query:

source="web_logs" AND (url="/account/reset_password" AND status=200) | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2019-19735
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-916
Published: December 30, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19735, you might also want to check these:

CVE-2020-14516 10.0

CVE-2020-14516 is a critical authentication bypass vulnerability in Rockwell Automation FactoryTalk ...

Same vulnerability type (CWE-916)
CVE-2021-32519 9.8

This vulnerability allows remote attackers to recover plain-text passwords by brute-forcing weak MD5...

Same vulnerability type (CWE-916)
CVE-2024-5743 9.8

This vulnerability in EveHome Eve Play allows attackers to exploit weak password hashing to execute ...

Same vulnerability type (CWE-916)