Vulnerability Details CVE-2023-47130
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.033
EPSS Ranking 86.6%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
- https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
- https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
- https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
Products affected by CVE-2023-47130
-
cpe:2.3:a:yiiframework:yii:*