Shodan
Vulnerabilities
Vulnerable Software
Yiiframework:  Security Vulnerabilities
CVE-2020-36655
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
CVSS Score
8.8
EPSS Score
0.013
Published
2023-01-21
CVE-2022-34297
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-09
CVE-2022-41922
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
CVSS Score
8.1
EPSS Score
0.023
Published
2022-11-23
CVE-2021-3692
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVSS Score
8.1
EPSS Score
0.005
Published
2021-08-10
CVE-2021-3689
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
CVSS Score
8.1
EPSS Score
0.005
Published
2021-08-10
CVE-2020-15148
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
CVSS Score
8.9
EPSS Score
0.917
Published
2020-09-15
CVE-2018-20745
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-01-28
CVE-2018-7269
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
CVSS Score
9.8
EPSS Score
0.006
Published
2018-03-21
CVE-2018-8073
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
CVSS Score
9.8
EPSS Score
0.01
Published
2018-03-21
CVE-2018-8074
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
CVSS Score
8.1
EPSS Score
0.009
Published
2018-03-21


Products
Pricing
Contact Us

Shodan ® - All rights reserved