Description
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".
References
packetstormsecurity.com/...cure-Direct-Object-Reference.html
wiki.yellowfinbi.com/...urrent/Release+Notes+for+Yellowfin+9
packetstormsecurity.com/...cure-Direct-Object-Reference.html
github.com/...n-Multiple-Vulnerabilities/blob/main/README.md
seclists.org/fulldisclosure/2021/Oct/15 (20211019 Yellowfin < 9.6.1 Multiple Vulnerabilities)
cyberaz0r.info/2021/10/yellowfin-multiple-vulnerabilities/