CVE-2020-15148
8.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
Summary
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| yiisoft | yii2 | < 2.0.38 | affected |
Weaknesses
- CWE-502: {"CWE-502":"Deserialization of Untrusted Data"}
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
- https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
References
- https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
- https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.