yiisoft/yii2 Security Advisories (11)
[HIGH] Unsafe Reflection in base Component class
PKSA-53mg-bvkk-zmbs CVE-2024-4990 GHSA-cjcc-p67m-7qxm
Affected version: <
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Reflected Cross-site Scripting in yiisoft/yii2 Debug mode
PKSA-wtwk-rjc8-8k5p CVE-2024-32877 GHSA-qg5r-95m4-mjgj
Affected version: >=2.0.43,<
Reported by:
GitHub -
[MEDIUM] Yii Framework Reflected XSS
PKSA-gzy9-wx5d-bbf4 CVE-2017-7271 GHSA-4xh9-5vh8-3p58
Affected version: <2.0.11
Reported by:
GitHub -
[MEDIUM] Yii Cross-site Scripting Framework vulnerability
PKSA-pmpc-8m2s-x8bf CVE-2017-11516 GHSA-4c64-w8fg-xcq2
Affected version: =2.0.12
Reported by:
GitHub -
[MEDIUM] Yii Incorrectly Implements CORS
PKSA-9gg1-dnxr-781q CVE-2018-20745 GHSA-cr6r-6xm9-ww22
Affected version: <2.0.16
Reported by:
GitHub -
[HIGH] Possible remote code execution via unserialize() on user input containing specially crafted string
PKSA-qmd6-d7pz-yk89 CVE-2020-15148 GHSA-699q-wcff-g9mj
Affected version: <2.0.38
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Potential SQL injection in methods `yii\db\ActiveRecord::findOne()` and `::findAll()`
PKSA-hb8b-2qmh-yv87 CVE-2018-7269
Affected version: <|>=2.0.13,<|>=2.0.14,<2.0.15
Reported by:
FriendsOfPHP/security-advisories -
[HIGH] Remote attackers could obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.
PKSA-rkx4-rmt9-k26g CVE-2018-6010 GHSA-8gfq-c54m-3rf6
Affected version: <2.0.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] The switchIdentity() function in yii\web\User did not regenerate the CSRF token upon a change of identity
PKSA-tgtc-bnhk-szjb CVE-2018-6009 GHSA-cwhm-272p-3wj9
Affected version: <2.0.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] class yii\web\ViewAction allowed to include arbitrary files that end with .php
PKSA-62sq-zmbb-yyr8 CVE-2015-5467 GHSA-7cfq-72w2-24q4
Affected version: <2.0.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] JSON Data encoded for use in HTML was not safe to use in IE6/IE7, possible XSS attacks
PKSA-98w7-zrnb-gcw4 CVE-2015-3397 GHSA-w2xx-jp9f-gp8g
Affected version: <2.0.4
Reported by:
GitHub, FriendsOfPHP/security-advisories