CVE-2023-47130

Published: Nov 14, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected (1)

Products: Yiiframework: Yii

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yiiframework Yii	Before 1.1.29

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (6)

https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06

Source: security-advisories@github.com

Patch

https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q

Source: security-advisories@github.com

Patch

https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

Source: security-advisories@github.com

Third Party Advisory

https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.