In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
| Link | Tags |
|---|---|
| http://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html | third party advisory vdb entry |
| https://wiki.yellowfinbi.com/display/yfcurrent/Release+Notes+for+Yellowfin+9#ReleaseNotesforYellowfin9-Yellowfin9.6 | release notes vendor advisory |
| https://packetstormsecurity.com/files/164515/Yellowfin-Cross-Site-Scripting-Insecure-Direct-Object-Reference.html | third party advisory vdb entry |
| https://github.com/cyberaz0r/Yellowfin-Multiple-Vulnerabilities/blob/main/README.md | third party advisory |
| http://seclists.org/fulldisclosure/2021/Oct/15 | third party advisory mailing list |
| https://cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities/ |