CVSS: 8.8EPSS: 0%CPEs: 20EXPL: 0CVE-2018-6009
https://notcve.org/view.php?id=CVE-2018-6009
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. En Yii Framework 2.x en versiones anteriores a la 2.0.14, la función switchIdentity en web/User.php no regeneró el token CSRF tras un cambio de identidad. • https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 0CVE-2018-6010
https://notcve.org/view.php?id=CVE-2018-6010
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. En Yii Framework versión 2.x en versiones anteriores a la 2.0.14, los atacantes remotos podrían obtener información potencialmente sensible de mensajes de excepción o explotar XSS reflejado en la página del controlador de errores en modo non-debug. Esto se relaciona con base/ErrorHandler.php, log/Dispatcher.php, y views/errorHandler/exception.php. • https://github.com/yiisoft/yii2/commit/6b0be47e0fa9c532e03b07b4369050582fcf5c7a https://github.com/yiisoft/yii2/issues/14711 https://github.com/yiisoft/yii2/pull/15534 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3397
https://notcve.org/view.php?id=CVE-2015-3397
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. Vulnerabilidad de XSS en Yii Framework anterior a 2.0.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores relacionados con JSON, arrays, e Internet Explorer 6 o 7. • http://www.securityfocus.com/bid/74663 http://www.yiiframework.com/news/86/yii-2-0-4-is-released https://github.com/yiisoft/yii2/blob/2.0.4/framework/CHANGELOG.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •