cbcvebase.
CVE-2019-14537
published 2019-08-07

CVE-2019-14537: YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.14%
92.6th percentile
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.

Affected

2 ranges
VendorProductVersion rangeFixed in
yourlsyourls<= 1.7.3
yourlsyourls>= 0 < 1.7.41.7.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is a PHP type juggling issue in the YOURLS API authentication component, allowing login bypass. Detection should focus on API authentication requests that exploit loose type comparison (e.g., passing a non-string value for the password/signature parameter).
  • A public PoC exploit exists at https://github.com/Wocanilo/CVE-2019-14537 which can be used to understand the attack pattern and craft detection signatures for YOURLS API authentication bypass attempts.
  • Monitor YOURLS API endpoints for authentication requests containing type-juggling payloads (e.g., numeric or boolean values in password/signature fields instead of strings), particularly against versions up to and including 1.7.3.
  • ·The fix was introduced in YOURLS commits after 1.7.3; refer to the upstream pull request and releases for the exact patched version.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.