CVE-2020-36655: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

January 21, 2023 (updated January 31, 2023)

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

References

github.com/advisories/GHSA-3mpg-q26j-83j5
github.com/yiisoft/yii2-gii/commit/ed61e0d85f43e23f79d7c9d1b4e5e5c09a32ce4b
github.com/yiisoft/yii2-gii/issues/433
lab.wallarm.com/yii2-gii-remote-code-execution/
nvd.nist.gov/vuln/detail/CVE-2020-36655

Detect and mitigate CVE-2020-36655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →