CVE-2020-36655

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
References
Link Resource
https://github.com/yiisoft/yii2-gii/issues/433 Exploit Issue Tracking Third Party Advisory
https://lab.wallarm.com/yii2-gii-remote-code-execution/ Exploit Mitigation Third Party Advisory
https://github.com/yiisoft/yii2-gii/issues/433 Exploit Issue Tracking Third Party Advisory
https://lab.wallarm.com/yii2-gii-remote-code-execution/ Exploit Mitigation Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:yiiframework:gii:*:*:*:*:*:yii2:*:*

History

21 Nov 2024, 05:30

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-21 01:15

Updated : 2024-11-21 05:30


NVD link : CVE-2020-36655

Mitre link : CVE-2020-36655

CVE.ORG link : CVE-2020-36655


JSON object : View

Products Affected

yiiframework

  • gii
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')