CVE-2023-47130

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/yiisoft/yii

Identifiers

GHSA-mw2w-2hj2-fg8q, CVE-2023-47130

Package Slug

packagist/yiisoft/yii

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 is vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Versions

All versions before 1.1.29

Solution

Upgrade to version 1.1.29 or above.

Last Modified

2023-11-16

source