CVE-2024-32877: Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

June 2, 2024

During the internal penetration testing of our product based on Yii2, we discovered an XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3).

References

github.com/advisories/GHSA-qg5r-95m4-mjgj
github.com/yiisoft/yii2
github.com/yiisoft/yii2/commit/f7baab16e79f2369d4838ab5653c3c07ecf26615
github.com/yiisoft/yii2/security/advisories/GHSA-qg5r-95m4-mjgj
nvd.nist.gov/vuln/detail/CVE-2024-32877

Detect and mitigate CVE-2024-32877 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →