39 matches found
EUVD-2022-2388
Malicious code in bioql PyPI...
Yii 2 Redis may expose AUTH parameters in logs in case of connection failure
Impact On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs...
CVE-2025-48493 Yii 2 Redis may expose AUTH paramters in logs in case of connection failure
The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, the extension writes commands sequence to logs. Prior to version 2.0.20, AUTH parameters are written in plain text exposing username and password. That might be an issue if...
CVE-2025-48493
The vulnerability CVE-2025-48493 affects the Yii 2 Redis extension (yii2-redis) used with Yii Framework 2.0. Prior to version 2.0.20, AUTH credentials are logged in plain text when a connection fails, exposing usernames and passwords to anyone with access to the logs. The issue is mitigated by up...
PT-2025-23939 · Yii · Yii 2 Redis Extension
Name of the Vulnerable Software and Affected Versions: Yii 2 Redis extension versions prior to 2.0.20 Description: The issue concerns the logging of commands when a connection fails in the Yii 2 Redis extension. Specifically, prior to version 2.0.20, AUTH parameters are written in plain text,...
CVE-2022-31454
Yii 2 v2.0.45 was discovered to contain a cross-site scripting XSS vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025...
CVE-2024-58136
CVE-2024-58136 describes an RCE risk in CraftCMS tied to Yii2 behavior injection via the fieldLayout JSON posted to assembleLayoutFromPost. The root cause is unfiltered user data passed to Craft::createObject() and a missing cleanseConfig() before using the fieldLayout config, permitting an attac...
CVE-2020-15148
Yii 2 yiisoft/yii2 before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory...
CVE-2024-32877
CVE-2024-32877 (Yii2): The vulnerability affects Yii2 (2.0.49.3) via the stack-trace display mechanism, where argument values longer than 32 characters are truncated but the full value is exposed in the title attribute. A double quote (") can break out of the title context and inject attributes (...
CVE-2022-31454
Yii 2 v2.0.45 was discovered to contain a cross-site scripting XSS vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2...
Cross site scripting
Yii 2 v2.0.45 was discovered to contain a cross-site scripting XSS vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2...
CVE-2022-31454
The connected sources confirm a cross-site scripting (XSS) vulnerability in Yii 2.0.45 exposed via the /books endpoint. The claim is that /books relates to Yii 2 is disputed by the vendor. Technical details on the underlying root cause, exploit steps, impacted versions beyond 2.0.45, and confirme...
CVE-2022-31454
Yii 2 v2.0.45 was discovered to contain a cross-site scripting XSS vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2...
CVE-2022-31454
Yii 2 v2.0.45 was discovered to contain a cross-site scripting XSS vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2...
CVE-2023-26750
Summary of CVE-2023-26750 : Yii 2 Framework prior to 2.0.47 contains a SQL injection vulnerability in the runAction function that can allow a remote attacker to execute arbitrary code. The issue’s impact is described as critical. Remediation available: upgrade to Yii 2.0.47 or later. Some connect...