CVE-2025-2690

Published: Mar 24, 2025Modified: Mar 24, 2025

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Affected (1)

Products: Yiiframework: Yii

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yiiframework Yii	From 2.0.0 to 2.0.39

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

https://github.com/gaorenyusi/gaorenyusi/blob/main/Yii2-2.md

Source: cna@vuldb.com

ExploitThird Party Advisory

https://vuldb.com/?ctiid.300711

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.300711

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?submit.521718

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

Timeline

No history available yet.