Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 is vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yiisoft/yii.
In Yii Framework, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
In Yii Framework, the switchIdentity function in web/User.php does not regenerate the CSRF token upon a change of identity.
The CDetailView widget in Yii PHP Framework allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.