Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
yiiframework yii vulnerabilities and exploits
(subscribe to this query)
10
CVSSv3
CVE-2020-15148
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
Yiiframework Yii
3 Github repositories
9.8
CVSSv3
CVE-2023-50708
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular...
Yiiframework Yii2-authclient
9.8
CVSSv3
CVE-2023-47130
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been dev...
Yiiframework Yii
9.8
CVSSv3
CVE-2015-5467
web\ViewAction in Yii (aka Yii2) 2.x prior to 2.0.5 allows malicious users to execute any local .php file via a relative path in the view parameeter.
Yiiframework Yii
9.8
CVSSv3
CVE-2023-26750
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote malicious user to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the f...
Yiiframework Yii
9.8
CVSSv3
CVE-2022-41922
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
Yiiframework Yii
9.8
CVSSv3
CVE-2018-8073
Yii 2.x prior to 2.0.15 allows remote malicious users to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
Yiiframework Yii
9.8
CVSSv3
CVE-2018-7269
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x prior to 2.0.15 allows remote malicious users to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
Yiiframework Yii
1 Github repository
8.8
CVSSv3
CVE-2023-50714
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage ...
Yiiframework Yii2-authclient
8.8
CVSSv3
CVE-2020-36655
Yii Yii2 Gii prior to 2.2.2 allows remote malicious users to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
Yiiframework Gii
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
NULL pointer dereference
CVE-2023-52689
CVE-2024-23803
client side
CVE-2023-52696
information disclosure
CVE-2024-35843
CVE-2024-27130
CVE-2023-52697
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »