VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 13, 2018· Updated Sep 16, 2024

CVE-2018-12290

CVE-2018-12290

Description

The Yii2-StateMachine extension v2.x.x for Yii2 suffers from a cross-site scripting (XSS) vulnerability due to insufficient filtering of the role parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Yii2-StateMachine extension v2.x.x for Yii2 suffers from a cross-site scripting (XSS) vulnerability due to insufficient filtering of the role parameter.

Vulnerability

The Yii2-StateMachine extension versions 2.x.x for the Yii2 framework contains a cross-site scripting (XSS) vulnerability. The role parameter is not properly sanitized, allowing injection of arbitrary JavaScript code [2].

Exploitation

An attacker can exploit this by sending a GET request with a crafted role parameter containing malicious script, e.g., ?role=guest'%22()%26%25 [2]. No special privileges are required as the parameter is user-controlled.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to information disclosure, session hijacking, or other client-side attacks [2].

Mitigation

No official fix was disclosed in the available references. Users should apply input validation and output encoding to the role parameter, or disable the extension if not needed [2].

References
  1. CVE-2018-12290:yii2-statemachine v2.x.x存在XSS漏洞 - CVE中文申请站

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ptheofan/yii2-statemachinePackagist
>= 2.0.0-RC1, <= 2.0.0

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.