Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Yiiframework Subscribe
Filtered by product Yii
Total 9 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-41922 1 Yiiframework 1 Yii 2022-11-30 N/A 9.8 CRITICAL
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
CVE-2021-3689 1 Yiiframework 1 Yii 2022-04-25 5.0 MEDIUM 7.5 HIGH
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVE-2021-3692 1 Yiiframework 1 Yii 2022-04-25 5.0 MEDIUM 5.3 MEDIUM
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVE-2020-15148 1 Yiiframework 1 Yii 2020-09-22 7.5 HIGH 10.0 CRITICAL
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
CVE-2018-20745 1 Yiiframework 1 Yii 2019-02-20 4.3 MEDIUM 5.9 MEDIUM
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
CVE-2018-8074 1 Yiiframework 1 Yii 2018-04-20 6.8 MEDIUM 8.1 HIGH
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
CVE-2018-7269 1 Yiiframework 1 Yii 2018-04-20 7.5 HIGH 9.8 CRITICAL
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
CVE-2018-8073 1 Yiiframework 1 Yii 2018-04-17 7.5 HIGH 9.8 CRITICAL
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
CVE-2017-11516 1 Yiiframework 1 Yii 2017-07-25 4.3 MEDIUM 6.1 MEDIUM
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.