Filtered by vendor Yiiframework
Subscriptions
Total
21 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-50714 | 1 Yiiframework | 1 Yii2-authclient | 2024-11-27 | 6.8 Medium |
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | ||||
CVE-2023-50708 | 1 Yiiframework | 1 Yii2-authclient | 2024-11-21 | 6.1 Medium |
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available. | ||||
CVE-2023-47130 | 1 Yiiframework | 1 Yii | 2024-11-21 | 8.1 High |
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2023-26750 | 1 Yiiframework | 1 Yii | 2024-11-21 | 9.8 Critical |
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | ||||
CVE-2022-41922 | 1 Yiiframework | 1 Yii | 2024-11-21 | 8.1 High |
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | ||||
CVE-2022-34297 | 1 Yiiframework | 1 Gii | 2024-11-21 | 5.4 Medium |
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | ||||
CVE-2022-31454 | 1 Yiiframework | 1 Yii | 2024-11-21 | 6.1 Medium |
Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2. | ||||
CVE-2021-3692 | 1 Yiiframework | 1 Yii | 2024-11-21 | 5.3 Medium |
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | ||||
CVE-2021-3689 | 1 Yiiframework | 1 Yii | 2024-11-21 | 7.5 High |
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | ||||
CVE-2020-36655 | 1 Yiiframework | 1 Gii | 2024-11-21 | 8.8 High |
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. | ||||
CVE-2020-15148 | 1 Yiiframework | 1 Yii | 2024-11-21 | 8.9 High |
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | ||||
CVE-2018-8074 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A |
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | ||||
CVE-2018-8073 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A |
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | ||||
CVE-2018-7269 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A |
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | ||||
CVE-2018-6010 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | N/A |
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. | ||||
CVE-2018-6009 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | N/A |
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | ||||
CVE-2018-20745 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A |
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | ||||
CVE-2017-11516 | 1 Yiiframework | 1 Yii | 2024-11-21 | N/A |
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled. | ||||
CVE-2015-5467 | 1 Yiiframework | 1 Yii | 2024-11-21 | 9.8 Critical |
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. | ||||
CVE-2015-3397 | 1 Yiiframework | 1 Yiiframework | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. |