Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the...
9.8CVSS
7.6AI Score
0.004EPSS
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view...
9.8CVSS
9.1AI Score
0.001EPSS
Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii...
6.1CVSS
6.1AI Score
0.0005EPSS
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the...
9.8CVSS
9.8AI Score
0.004EPSS
yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. This has been patched in...
9.8CVSS
9.7AI Score
0.004EPSS
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained...
7.8CVSS
7.9AI Score
0.001EPSS
YII2-CMS v1.0 has XSS in protected\core\modules\home\models\Contact.php via a name field to...
6.1CVSS
5.8AI Score
0.001EPSS
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security...
5.9CVSS
5.8AI Score
0.001EPSS
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis...
9.8CVSS
8.7AI Score
0.005EPSS
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array...
9.8CVSS
8.8AI Score
0.001EPSS
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch...
8.1CVSS
8.8AI Score
0.003EPSS
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is...
6.1CVSS
6AI Score
0.001EPSS
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception...
6.1CVSS
6AI Score
0.002EPSS