CVE-2018-6009

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
yiiframeworkyiiframework
2.0.0
yiiframeworkyiiframework
2.0.0:alpha
yiiframeworkyiiframework
2.0.0:beta
yiiframeworkyiiframework
2.0.0:rc
yiiframeworkyiiframework
2.0.1
yiiframeworkyiiframework
2.0.2
yiiframeworkyiiframework
2.0.3
yiiframeworkyiiframework
2.0.4
yiiframeworkyiiframework
2.0.5
yiiframeworkyiiframework
2.0.6
yiiframeworkyiiframework
2.0.7
yiiframeworkyiiframework
2.0.8
yiiframeworkyiiframework
2.0.9
yiiframeworkyiiframework
2.0.10
yiiframeworkyiiframework
2.0.11
yiiframeworkyiiframework
2.0.11.1
yiiframeworkyiiframework
2.0.11.2
yiiframeworkyiiframework
2.0.12
yiiframeworkyiiframework
2.0.13
yiiframeworkyiiframework
2.0.13.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7
https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7