CVE-2023-47130

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29...

Rate Limit Bypass

Azuracast is vulnerable to Rate Limit Bypass. The vulnerability arises because the existing rate limiting functionality trusts the arbitrary user input coming from the X-Forwarded-For and Client IP header. The vulnerability could allow an attacker to brute force a user password...

Yii 代码问题漏洞

Yii is a component-based, high-performance PHP framework for developing large-scale web applications developed by the YII team. A code issue vulnerability exists in Yii versions prior to 1.1.27, which stems from a Remote Code Execution RCE attack by calling unserialize on arbitrary user input...

CVE-2022-41922 yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input

yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. This has been patched in 1.1.27...

Prevent RCE when deserializing untrusted user input

Impact Affected versions of yiisoft/yii are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. Patches Upgrade yiisoft/yii to version 1.1.27 or higher. For more information See the following links for more details: - Git commit -...

GO-2021-0076 Out-of-bounds write in github.com/evanphx/json-patch

A malicious JSON patch can cause a panic due to an out-of-bounds write attempt. This can be used as a denial of service vector if exposed to arbitrary user input...

Remote code execution

Yii 2 yiisoft/yii2 before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory...

GHSA-V63X-XC9J-HHVQ Sandbox Breakout / Arbitrary Code Execution in safer-eval

All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. Recommendation The package is...

Input validation

DISPUTED In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on their...

CVE-2017-14522

In WonderCMS 2.3.1, the application's input fields accept arbitrary user input resulting in execution of malicious JavaScript. NOTE: the vendor disputes this issue stating that this is a feature that enables only a logged in administrator to write execute JavaScript anywhere on their website...

CVE-2017-14522

Summary: CVE-2017-14522 affects WonderCMS 2.3.1, where input fields can accept arbitrary data and lead to execution of malicious JavaScript. Multiple sources corroborate a stored XSS risk in WonderCMS 2.3.1, with vendor dispute that this is a feature allowing only a logged-in administrator to wri...

XStream: remote code execution due to insecure XML deserialization

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream...