Yiiframework: >> Yiiframework >> 2.0.12 Security Vulnerabilities
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-01-22
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-01-22