CVE-2020-36655

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/yiisoft/yii2-gii

Identifiers

GHSA-3mpg-q26j-83j5, CVE-2020-36655

Package Slug

packagist/yiisoft/yii2-gii

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

Affected Versions

All versions before 2.2.2

Solution

Upgrade to version 2.2.2 or above.

Last Modified

2023-01-31

source