Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Yiiframework Subscribe
Total 15 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-36655 1 Yiiframework 1 Gii 2023-01-30 N/A 8.8 HIGH
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
CVE-2022-34297 1 Yiiframework 1 Gii 2022-12-12 N/A 5.4 MEDIUM
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
CVE-2022-41922 1 Yiiframework 1 Yii 2022-11-30 N/A 9.8 CRITICAL
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
CVE-2021-3689 1 Yiiframework 1 Yii 2022-04-25 5.0 MEDIUM 7.5 HIGH
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVE-2021-3692 1 Yiiframework 1 Yii 2022-04-25 5.0 MEDIUM 5.3 MEDIUM
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVE-2020-15148 1 Yiiframework 1 Yii 2020-09-22 7.5 HIGH 10.0 CRITICAL
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
CVE-2018-6010 1 Yiiframework 1 Yiiframework 2020-08-24 5.0 MEDIUM 7.5 HIGH
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
CVE-2018-20745 1 Yiiframework 1 Yii 2019-02-20 4.3 MEDIUM 5.9 MEDIUM
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
CVE-2018-8074 1 Yiiframework 1 Yii 2018-04-20 6.8 MEDIUM 8.1 HIGH
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
CVE-2018-7269 1 Yiiframework 1 Yii 2018-04-20 7.5 HIGH 9.8 CRITICAL
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
CVE-2018-8073 1 Yiiframework 1 Yii 2018-04-17 7.5 HIGH 9.8 CRITICAL
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
CVE-2018-6009 1 Yiiframework 1 Yiiframework 2018-02-09 6.8 MEDIUM 8.8 HIGH
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CVE-2017-11516 1 Yiiframework 1 Yii 2017-07-25 4.3 MEDIUM 6.1 MEDIUM
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
CVE-2015-3397 1 Yiiframework 1 Yiiframework 2016-12-05 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
CVE-2014-4672 1 Yiiframework 1 Yiiframework 2014-07-23 7.5 HIGH N/A
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.