CVE-2018-6009

Published: Jan 22, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.

Affected (20)

Products: Yiiframework: Yiiframework

1 product

Configuration A

20 vulnerable

Vulnerable Software	Affected Versions
Yiiframework Yiiframework	Version 2.0.0
Yiiframework Yiiframework	Version 2.0.0 alpha
Yiiframework Yiiframework	Version 2.0.0 beta
Yiiframework Yiiframework	Version 2.0.0 rc
Yiiframework Yiiframework	Version 2.0.10
Yiiframework Yiiframework	Version 2.0.11.1
Yiiframework Yiiframework	Version 2.0.11.2
Yiiframework Yiiframework	Version 2.0.11
Yiiframework Yiiframework	Version 2.0.12
Yiiframework Yiiframework	Version 2.0.13.1
Yiiframework Yiiframework	Version 2.0.13
Yiiframework Yiiframework	Version 2.0.1
Yiiframework Yiiframework	Version 2.0.2
Yiiframework Yiiframework	Version 2.0.3
Yiiframework Yiiframework	Version 2.0.4
Yiiframework Yiiframework	Version 2.0.5
Yiiframework Yiiframework	Version 2.0.6
Yiiframework Yiiframework	Version 2.0.7
Yiiframework Yiiframework	Version 2.0.8
Yiiframework Yiiframework	Version 2.0.9

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.