CVE-2019-20060

Vulnerability

Affecting MFScripts YetiShare versions from v3.5.2 through v4.5.4 inclusive, the application inadvertently places sensitive information—such as password-reset hashes, file-delete links, and other private tokens—into the HTTP Referer header when a user navigates from a protected page to an external resource [1][2]. This occurs because the software fails to strip the query string or path parameters that contain secrets from the referrer URL when following outbound links.

Exploitation

An attacker can exploit this flaw by hosting a page or link that a YetiShare user clicks while logged into the application. No authentication beyond convincing a victim to follow a crafted link from the YetiShare site is needed. The attacker simply monitors the HTTP Referer header of incoming requests to their controlled resource; if the user arrives from a YetiShare page that embeds a secret (e.g., a password-reset confirmation or a direct file-delete URL), that secret will be transmitted verbatim in the header [1][2].

Impact

Successful exploitation allows an attacker to obtain sensitive tokens, including password-reset hashes that could be used to hijack user accounts, or file-delete links that could result in unauthorized data deletion. The confidentiality of the affected tokens is compromised, and in the case of file-delete URLs, the integrity and availability of stored files may be impacted without further authorization checks.

Mitigation

As of the publication date (2020-02-10), no patch had been released; version v4.5.4 is the last affected release, and users are advised to update to a version newer than v4.5.4 if available, or to use a web application firewall rule that strips the Referer header on outbound links containing sensitive parameters [1][2]. YetiShare administrators should also consider injecting a rel="noreferrer" attribute on all external links to prevent header leakage. No KEV listing is known.