CVE-2023-47130
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| yiisoft | yii | < 1.1.29 | affected |
Weaknesses
- CWE-502: CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
- https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
- https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.