CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26750
https://notcve.org/view.php?id=CVE-2023-26750
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. • https://github.com/yiisoft/yii2/issues/19755 https://github.com/yiisoft/yii2/issues/19755#issuecomment-1426155955 https://github.com/yiisoft/yii2/issues/19755#issuecomment-1505390813 https://github.com/yiisoft/yii2/issues/19755#issuecomment-1505560351 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-36655
https://notcve.org/view.php?id=CVE-2020-36655
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. Yii Yii2 Gii anterior a 2.2.2 permite a atacantes remotos ejecutar código de su elección a través del campo messageCategory de Generator.php. El atacante puede incrustar código PHP arbitrario en el archivo del modelo. • https://github.com/yiisoft/yii2-gii/issues/433 https://lab.wallarm.com/yii2-gii-remote-code-execution • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34297
https://notcve.org/view.php?id=CVE-2022-34297
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. Yii Yii2 Gii hasta 2.2.4 permite almacenar XSS inyectando un payload en cualquier campo. • https://gist.github.com/be4r/b5c48d97ef6726d3ee37f995ee5aac81 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41922 – yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input
https://notcve.org/view.php?id=CVE-2022-41922
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. `yiisoft/yii` antes de la versión 1.1.27 son vulnerables a la ejecución remota de código (RCE) si la aplicación llama a `unserialize()` ante una entrada arbitraria del usuario. Esto ha sido parcheado en la versión 1.1.27. • https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52 https://github.com/yiisoft/yii/security/advisories/GHSA-442f-wcwq-fpcf • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3692 – Use of Predictable Algorithm in Random Number Generator in yiisoft/yii2
https://notcve.org/view.php?id=CVE-2021-3692
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator yii2 es vulnerable a un Uso de Algoritmo Predecible en el Generador de Números Aleatorios • https://github.com/yiisoft/yii2/commit/13f27e4d920a05d53236139e8b07007acd046a46 https://huntr.dev/bounties/55517f19-5c28-4db2-8b00-f78f841e8aba • CWE-330: Use of Insufficiently Random Values CWE-1241: Use of Predictable Algorithm in Random Number Generator •