Filtered by vendor Yiiframework
Subscribe
Total
21 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2689 | 1 Yiiframework | 1 Yii | 2025-03-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2690 | 1 Yiiframework | 1 Yii | 2025-03-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-26750 | 1 Yiiframework | 1 Yii | 2025-02-13 | N/A | 9.8 CRITICAL |
| ** DISPUTED ** SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | |||||
| CVE-2023-47130 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A | 8.1 HIGH |
| Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-41922 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A | 8.1 HIGH |
| `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | |||||
| CVE-2022-34297 | 1 Yiiframework | 1 Gii | 2024-11-21 | N/A | 5.4 MEDIUM |
| Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | |||||
| CVE-2022-31454 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A | 6.1 MEDIUM |
| ** DISPUTED ** Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2. | |||||
| CVE-2021-3692 | 1 Yiiframework | 1 Yii | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||||
| CVE-2021-3689 | 1 Yiiframework | 1 Yii | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | |||||
| CVE-2020-36655 | 1 Yiiframework | 1 Gii | 2024-11-21 | N/A | 8.8 HIGH |
| Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. | |||||
| CVE-2020-15148 | 1 Yiiframework | 1 Yii | 2024-11-21 | 7.5 HIGH | 8.9 HIGH |
| Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | |||||
| CVE-2018-8074 | 1 Yiiframework | 1 Yii | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | |||||
| CVE-2018-8073 | 1 Yiiframework | 1 Yii | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | |||||
| CVE-2018-7269 | 1 Yiiframework | 1 Yii | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | |||||
| CVE-2018-6010 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. | |||||
| CVE-2018-6009 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | |||||
| CVE-2018-20745 | 1 Yiiframework | 1 Yii | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | |||||
| CVE-2017-11516 | 1 Yiiframework | 1 Yii | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled. | |||||
| CVE-2015-5467 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A | 9.8 CRITICAL |
| web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. | |||||
| CVE-2015-3397 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. | |||||