CVE-2018-6009

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CSRF
Severity
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
NONE
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
VendorProductVersion
yiiframeworkyiiframework
2.0.0
yiiframeworkyiiframework
2.0.0
yiiframeworkyiiframework
2.0.0
yiiframeworkyiiframework
2.0.0
yiiframeworkyiiframework
2.0.1
yiiframeworkyiiframework
2.0.2
yiiframeworkyiiframework
2.0.3
yiiframeworkyiiframework
2.0.4
yiiframeworkyiiframework
2.0.5
yiiframeworkyiiframework
2.0.6
yiiframeworkyiiframework
2.0.7
yiiframeworkyiiframework
2.0.8
yiiframeworkyiiframework
2.0.9
yiiframeworkyiiframework
2.0.10
yiiframeworkyiiframework
2.0.11
yiiframeworkyiiframework
2.0.11.1
yiiframeworkyiiframework
2.0.11.2
yiiframeworkyiiframework
2.0.12
yiiframeworkyiiframework
2.0.13
yiiframeworkyiiframework
2.0.13.1
𝑥
= Vulnerable software versions