11 matches found
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
GHSA-GGWG-CMWP-46R5 yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
CVE-2024-58136 describes an RCE risk in CraftCMS tied to Yii2 behavior injection via the fieldLayout JSON posted to assembleLayoutFromPost. The root cause is unfiltered user data passed to Craft::createObject() and a missing cleanseConfig() before using the fieldLayout config, permitting an attac...
CVE-2024-4990
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the set magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors...
CVE-2024-4990
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the set magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors...
CVE-2024-4990 Unsafe Reflection in base Component class in yiisoft/yii2
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the set magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors...
CVE-2024-4990
CVE-2024-4990 (Yii2
CVE-2024-4990 Unsafe Reflection in base Component class in yiisoft/yii2
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the set magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors...