CVSS: 8.8EPSS: 0%CPEs: 20EXPL: 0CVE-2018-6009
https://notcve.org/view.php?id=CVE-2018-6009
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. En Yii Framework 2.x en versiones anteriores a la 2.0.14, la función switchIdentity en web/User.php no regeneró el token CSRF tras un cambio de identidad. • https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 0CVE-2018-6010
https://notcve.org/view.php?id=CVE-2018-6010
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. En Yii Framework versión 2.x en versiones anteriores a la 2.0.14, los atacantes remotos podrían obtener información potencialmente sensible de mensajes de excepción o explotar XSS reflejado en la página del controlador de errores en modo non-debug. Esto se relaciona con base/ErrorHandler.php, log/Dispatcher.php, y views/errorHandler/exception.php. • https://github.com/yiisoft/yii2/commit/6b0be47e0fa9c532e03b07b4369050582fcf5c7a https://github.com/yiisoft/yii2/issues/14711 https://github.com/yiisoft/yii2/pull/15534 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3397
https://notcve.org/view.php?id=CVE-2015-3397
Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. Vulnerabilidad de XSS en Yii Framework anterior a 2.0.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores relacionados con JSON, arrays, e Internet Explorer 6 o 7. • http://www.securityfocus.com/bid/74663 http://www.yiiframework.com/news/86/yii-2-0-4-is-released https://github.com/yiisoft/yii2/blob/2.0.4/framework/CHANGELOG.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4672
https://notcve.org/view.php?id=CVE-2014-4672
The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property. El widget CDetailView en Framework PHP de Yii versión 1.1.14, permite a los atacantes remotos ejecutar scripts PHP arbitrarios por medio de vectores relacionados con la propiedad value. • http://www.yiiframework.com/news/78/yii-1-1-15-is-released-security-fix • CWE-94: Improper Control of Generation of Code ('Code Injection') •