Advisories for Composer/Yiisoft/Yii2-Dev package

Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books.

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function.

yiisoft/yii before version 1.1.27 is vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. This has been patched in 1.1.27.

yii2 is vulnerable to use of predictable algorithm in a random number generator

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator

Yii 2 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input.

Yii actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

The findByCondition function in framework/db/ActiveRecord.php allows remote attackers to conduct SQL injection attacks via a findOne() or `findAll()à call, unless a developer recognizes an undocumented need to sanitize array input.

Yii allows remote attackers to inject unintended search conditions.

Yii allows remote attackers to inject and execute arbitrary LUA code.

Remote attackers can obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.

The switchIdentity() function in web/User.php did not regenerate the CSRF token upon a change of identity.

An XSS vulnerability exists in framework/views/errorHandler/exception.

Class yii\web\ViewAction allowed to include arbitrary files that end with .php.

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6