CVE-2023-47130

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
VendorProductVersion
yiiframeworkyii
𝑥
< 1.1.29
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection