Yiiframework: Security Vulnerabilities
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-01-22
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
CVSS Score
7.5
EPSS Score
0.011
Published
2018-01-22
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-07-21
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.
CVSS Score
4.3
EPSS Score
0.003
Published
2015-05-14
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.
CVSS Score
7.5
EPSS Score
0.006
Published
2014-07-03
Page 3