CVE-2019-20059

Vulnerability

In MFScripts YetiShare versions 3.5.2 through 4.5.4, the payment_manage.ajax.php and various other *_manage.ajax.php files directly insert values from the sSortDir_0 parameter into a SQL query string without proper sanitization or parameterization, leading to SQL injection [1][2]. This issue exists because of an incomplete fix for CVE-2019-19732.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious value for the sSortDir_0 parameter in a request to the affected AJAX endpoints. No authentication is required if the endpoint is exposed; however, some endpoints may require prior authentication depending on the configuration. The attacker simply appends SQL syntax to the parameter value, which is then directly concatenated into the SQL query executed by the application.

Impact

Successful exploitation allows an attacker to manipulate the SQL query and extract arbitrary data from the database, typically including sensitive information such as user credentials, session tokens, or payment data. The attacker may also be able to modify or delete database records, depending on the database permissions and query structure.

Mitigation

The vendor has not released a public patch for versions 4.5.4 and earlier [1][2]. Users should upgrade to a version beyond 4.5.4 if available, or apply the fix that was intended by the incomplete CVE-2019-19732 resolution. No workaround is provided in the references. If no updated version is available, consider disabling or restricting access to the vulnerable AJAX endpoints as a temporary measure.