Vulnerabilities > Yellowfinbi
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-14 | CVE-2020-19586 | Cross-site Scripting vulnerability in Yellowfinbi Business Intelligence 7.3 Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI. | 9.0 |
| 2021-10-14 | CVE-2021-36387 | Cross-site Scripting vulnerability in Yellowfinbi Yellowfin In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". | 5.4 |
| 2021-10-14 | CVE-2021-36388 | Authorization Bypass Through User-Controlled Key vulnerability in Yellowfinbi Yellowfin In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". | 7.5 |
| 2021-10-14 | CVE-2021-36389 | Authorization Bypass Through User-Controlled Key vulnerability in Yellowfinbi Yellowfin In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". | 7.5 |
| 2019-07-26 | CVE-2019-1010147 | Cross-site Scripting vulnerability in multiple products Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. | 5.4 |