Vulnerability Details CVE-2020-15148
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.925
EPSS Ranking 99.7%
CVSS Severity
CVSS v3 Score 8.9
CVSS v2 Score 7.5
References
- https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
- https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
- https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
- https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
Products affected by CVE-2020-15148
-
cpe:2.3:a:yiiframework:yii:2.0.0
-
cpe:2.3:a:yiiframework:yii:2.0.1
-
cpe:2.3:a:yiiframework:yii:2.0.10
-
cpe:2.3:a:yiiframework:yii:2.0.11
-
cpe:2.3:a:yiiframework:yii:2.0.11.1
-
cpe:2.3:a:yiiframework:yii:2.0.11.2
-
cpe:2.3:a:yiiframework:yii:2.0.12
-
cpe:2.3:a:yiiframework:yii:2.0.12.1
-
cpe:2.3:a:yiiframework:yii:2.0.12.2
-
cpe:2.3:a:yiiframework:yii:2.0.13
-
cpe:2.3:a:yiiframework:yii:2.0.13.1
-
cpe:2.3:a:yiiframework:yii:2.0.13.2
-
cpe:2.3:a:yiiframework:yii:2.0.13.3
-
cpe:2.3:a:yiiframework:yii:2.0.14
-
cpe:2.3:a:yiiframework:yii:2.0.14.1
-
cpe:2.3:a:yiiframework:yii:2.0.14.2
-
cpe:2.3:a:yiiframework:yii:2.0.15
-
cpe:2.3:a:yiiframework:yii:2.0.15.1
-
cpe:2.3:a:yiiframework:yii:2.0.16
-
cpe:2.3:a:yiiframework:yii:2.0.16.1
-
cpe:2.3:a:yiiframework:yii:2.0.17
-
cpe:2.3:a:yiiframework:yii:2.0.18
-
cpe:2.3:a:yiiframework:yii:2.0.19
-
cpe:2.3:a:yiiframework:yii:2.0.2
-
cpe:2.3:a:yiiframework:yii:2.0.20
-
cpe:2.3:a:yiiframework:yii:2.0.21
-
cpe:2.3:a:yiiframework:yii:2.0.22
-
cpe:2.3:a:yiiframework:yii:2.0.23
-
cpe:2.3:a:yiiframework:yii:2.0.24
-
cpe:2.3:a:yiiframework:yii:2.0.25
-
cpe:2.3:a:yiiframework:yii:2.0.26
-
cpe:2.3:a:yiiframework:yii:2.0.27
-
cpe:2.3:a:yiiframework:yii:2.0.28
-
cpe:2.3:a:yiiframework:yii:2.0.29
-
cpe:2.3:a:yiiframework:yii:2.0.3
-
cpe:2.3:a:yiiframework:yii:2.0.30
-
cpe:2.3:a:yiiframework:yii:2.0.31
-
cpe:2.3:a:yiiframework:yii:2.0.32
-
cpe:2.3:a:yiiframework:yii:2.0.33
-
cpe:2.3:a:yiiframework:yii:2.0.34
-
cpe:2.3:a:yiiframework:yii:2.0.35
-
cpe:2.3:a:yiiframework:yii:2.0.36
-
cpe:2.3:a:yiiframework:yii:2.0.37
-
cpe:2.3:a:yiiframework:yii:2.0.4
-
cpe:2.3:a:yiiframework:yii:2.0.5
-
cpe:2.3:a:yiiframework:yii:2.0.6
-
cpe:2.3:a:yiiframework:yii:2.0.7
-
cpe:2.3:a:yiiframework:yii:2.0.8
-
cpe:2.3:a:yiiframework:yii:2.0.9