Advisories for Composer/Yiisoft/Yii2 package

2024

Unsafe Reflection in base Component class in yiisoft/yii2

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'. Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content …

Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

During the internal penetration testing of our product based on Yii2, we discovered an XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3).

2022

Yii Cross-site Scripting Framework vulnerability

An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.

Origin Validation Error

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

2020

Deserialization of Untrusted Data

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

2018

SQL injection

The findByCondition function in framework/db/ActiveRecord.php allows remote attackers to conduct SQL injection attacks via a findOne() or `findAll()à call, unless a developer recognizes an undocumented need to sanitize array input.

Information disclosure

Remote attackers can obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.

CSRF vulnerability in switchIdentiy

The switchIdentity() function in web/User.php did not regenerate the CSRF token upon a change of identity.

2017

Cross-site Scripting

A reflected Cross-site scripting exists in yii2.

2015

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Class yii\web\ViewAction allowed to include arbitrary files that end with .php.

Cross-site Scripting

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6