Prevent RCE when deserializing untrusted user input

Impact

Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.

Patches

Upgrade yiisoft/yii to version 1.1.27 or higher.

For more information

See the following links for more details:

• Git commit
• https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

If you have any questions or comments about this advisory, contact us through security form.