Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Yii
(Yiiframework)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 12 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-07-28 | CVE-2022-31454 | Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2. | Yii | 6.1 | ||
| 2023-04-04 | CVE-2023-26750 | SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | Yii | 9.8 | ||
| 2023-11-14 | CVE-2023-47130 | Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | Yii | 9.8 | ||
| 2023-09-21 | CVE-2015-5467 | web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. | Yii | 9.8 | ||
| 2022-11-23 | CVE-2022-41922 | `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | Yii | 9.8 | ||
| 2021-08-10 | CVE-2021-3689 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | Yii | 7.5 | ||
| 2021-08-10 | CVE-2021-3692 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | Yii | 5.3 | ||
| 2018-03-21 | CVE-2018-8074 | Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | Yii | 8.1 | ||
| 2018-03-21 | CVE-2018-8073 | Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | Yii | 9.8 | ||
| 2018-03-21 | CVE-2018-7269 | The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | Yii | 9.8 |