CVE-2020-15148

Summary

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Affected Software

VendorProductVersion RangeStatus
yiisoftyii2< 2.0.38affected

Weaknesses

  • CWE-502: {"CWE-502":"Deserialization of Untrusted Data"}

ADP Enrichment

CVE Program Container

Additional References

References