Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior

Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions 5.8.21 and 4.16.17 to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef...

GHSA-GGWG-CMWP-46R5 yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...

yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...

CVE-2024-58136

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...

CVE-2024-58136

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...

CVE-2024-58136

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025. Recent assessments: chutton-r7 at May 11, 2025 1:58pm UTC reported: On the April 9 2025, Yii released an advisory...

PT-2025-15893

Name of the Vulnerable Software and Affected Versions Yii 2 versions prior to 2.0.52 Description The issue arises from the mishandling of behavior attachment, specifically when behaviors are defined by a class array key. This has been exploited in the wild, with approximately 13,000 vulnerable...