CVE-2019-20062

Vulnerability

MFScripts YetiShare versions 3.5.2 through 4.5.4 contain a vulnerability in the password reset functionality. The reset hash, once generated, never expires until it is used. If an attacker obtains this hash (e.g., via a leak or interception), they can reset the associated user's password at any time without needing the original email link or further authentication [1].

Exploitation

An attacker who gains access to a valid password reset hash—whether through database compromise, network sniffing, or other means—can directly use the hash to reset the victim's password. No additional privileges or user interaction beyond obtaining the hash are required.

Impact

Successful exploitation allows the attacker to change the victim's password and take over the account. This leads to unauthorized access to sensitive data stored in the affected YetiShare instance, such as uploaded files and user information, compromising confidentiality, integrity, and availability of user data.

Mitigation

Upgrade to YetiShare version 4.5.5 or later, where the fix enforces an expiration time for password reset hashes. If upgrading is not immediately possible, consider monitoring logs for unusual password reset activity and restricting access to database servers to prevent hash leaks.