CVE-2018-20745

Vulnerability

Yii 2.x through version 2.0.15.1 contains a CORS misconfiguration vulnerability in its yii\filters\Cors filter. When the Access-Control-Allow-Origin header is configured as a wildcard (*), the framework actively converts it into reflecting the actual Origin header value from the incoming request [2][3]. This behavior contradicts the CORS specification, which states that a wildcard should not be combined with credentials or used to reflect arbitrary origins. The affected versions are all Yii 2.x releases up to and including 2.0.15.1 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a cross-origin request from any domain (e.g., via a malicious website or script) to a Yii application that has a CORS policy configured with a wildcard origin. The attacker does not need authentication or any special network position; the victim's browser will send the request with an arbitrary Origin header, and the Yii application will respond with Access-Control-Allow-Origin: , thereby allowing the attacker's origin to read the response [3]. No user interaction beyond visiting the attacker's page is required.

Impact

Successful exploitation enables an attacker to perform cross-origin read operations on resources protected by CORS. If the application exposes sensitive data (e.g., API responses, user-specific content) that relies on CORS for access control, an attacker can exfiltrate that data by making requests from a malicious domain. The impact is information disclosure, potentially leading to further compromise depending on the nature of the exposed data [2].

Mitigation

The vulnerability is fixed in Yii version 2.0.16, released on January 29, 2019 [1]. Users should upgrade to 2.0.16 or later. As a workaround, administrators can avoid using a wildcard (*) in the Access-Control-Allow-Origin configuration and instead explicitly list trusted origins. If upgrading is not immediately possible, disabling the CORS filter or restricting it to specific origins can mitigate the risk [3].