Aggregates CVE and security vulnerability intelligence across all yellowfinbi-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk cross-site scripting, with potential vendor impact session compromise across vendor surface production workloads and vendor surface software deployment use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-19586 | Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI. | [email protected] | 9.0 | 1.45% | 2022-09-14 | 2024-11-21 |
| CVE-2021-36389 | In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4". | [email protected] | 7.5 | 3.02% | 2021-10-14 | 2024-11-21 |
| CVE-2021-36388 | In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4". | [email protected] | 7.5 | 1.61% | 2021-10-14 | 2024-11-21 |
| CVE-2021-36387 | In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4". | [email protected] | 5.4 | 3.08% | 2021-10-14 | 2024-11-21 |
| CVE-2019-1010147 | Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are typically lured to a web site under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge. The fixed version is: 7.4 and later. | [email protected] | 5.4 | 0.18% | 2019-07-26 | 2024-11-21 |