Skip to main content

Yiiframework

4 CVEs product

Monthly

CVE-2018-6010 PHP HIGH PATCH This Week

In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Yiiframework
NVD GitHub
CVSS 3.0
7.5
EPSS
2.9%
CVE-2018-6009 PHP HIGH PATCH This Week

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF PHP Yiiframework
NVD GitHub
CVSS 3.0
8.8
EPSS
0.6%
CVE-2015-3397 PHP MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Yiiframework
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
CVE-2014-4672 PHP HIGH PATCH This Week

The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE PHP Code Injection Yiiframework
NVD
CVSS 2.0
7.5
EPSS
0.6%
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Yiiframework
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF PHP Yiiframework
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Yiiframework
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE PHP Code Injection +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy