CVE-2018-6010
Description
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yii Framework 2.x before 2.0.14 leaks sensitive information in exception messages and is vulnerable to reflected XSS via the error handler page.
Vulnerability
In Yii Framework versions 2.x prior to 2.0.14, the error handler component (in base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php) fails to properly sanitize exception messages when the application is running in non-debug mode [1][2]. This allows remote attackers to obtain potentially sensitive information from those messages or exploit a reflected cross-site scripting (XSS) vulnerability on the error handler page [2]. The affected versions are all Yii 2.x releases before 2.0.14 [1].
Exploitation
An attacker can trigger the vulnerability by crafting a request that causes the application to throw an exception whose message contains malicious content. Because the error handler, even in non-debug mode, reflects the exception message back in the rendered error page without proper encoding, the attacker can inject arbitrary HTML or JavaScript [2]. No authentication or special privileges are required; the attack can be carried out remotely by enticing a user to visit a crafted URL or by causing the application to process attacker-controlled input that leads to an exception.
Impact
Successful exploitation allows an attacker to read potentially sensitive information that may be embedded in exception messages, such as server paths, configuration details, or database queries [2]. More critically, the reflected XSS can be used to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, defacement, or theft of credentials [2]. The privilege level gained is that of the user's browser session, and the attack can be carried out against any user who triggers the malicious error page.
Mitigation
The vulnerability is fixed in Yii Framework version 2.0.14, released on January 22, 2018 [1]. Users should upgrade to 2.0.14 or later. No official workaround has been published for environments where upgrading immediately is not possible. The NVD does not list this CVE as part of the Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2Packagist | >= 2.0.0, < 2.0.14 | 2.0.14 |
Affected products
1Patches
16b0be47e0fa9Fixes #14711: Fixed `yii\web\ErrorHandler` displaying exception message in non-debug mode
5 files changed · +57 −23
framework/base/ErrorHandler.php+28 −14 modified@@ -324,22 +324,36 @@ public static function convertExceptionToError($exception) */ public static function convertExceptionToString($exception) { - if ($exception instanceof Exception && ($exception instanceof UserException || !YII_DEBUG)) { - $message = "{$exception->getName()}: {$exception->getMessage()}"; - } elseif (YII_DEBUG) { - if ($exception instanceof Exception) { - $message = "Exception ({$exception->getName()})"; - } elseif ($exception instanceof ErrorException) { - $message = "{$exception->getName()}"; - } else { - $message = 'Exception'; - } - $message .= " '" . get_class($exception) . "' with message '{$exception->getMessage()}' \n\nin " - . $exception->getFile() . ':' . $exception->getLine() . "\n\n" - . "Stack trace:\n" . $exception->getTraceAsString(); + if ($exception instanceof UserException) { + return "{$exception->getName()}: {$exception->getMessage()}"; + } + + if (YII_DEBUG) { + return static::convertExceptionToVerboseString($exception); + } + + return 'An internal server error occurred.'; + } + + /** + * Converts an exception into a string that has verbose information about the exception and its trace. + * @param \Exception|\Error $exception the exception being converted + * @return string the string representation of the exception. + * + * @since 2.0.14 + */ + public static function convertExceptionToVerboseString($exception) + { + if ($exception instanceof Exception) { + $message = "Exception ({$exception->getName()})"; + } elseif ($exception instanceof ErrorException) { + $message = "{$exception->getName()}"; } else { - $message = 'Error: ' . $exception->getMessage(); + $message = 'Exception'; } + $message .= " '" . get_class($exception) . "' with message '{$exception->getMessage()}' \n\nin " + . $exception->getFile() . ':' . $exception->getLine() . "\n\n" + . "Stack trace:\n" . $exception->getTraceAsString(); return $message; }
framework/CHANGELOG.md+1 −0 modified@@ -4,6 +4,7 @@ Yii Framework 2 Change Log 2.0.14 under development ------------------------ +- Bug #14711: Fixed `yii\web\ErrorHandler` displaying exception message in non-debug mode (samdark) - Enh #13814: MySQL unique index names can now contain spaces (df2) - Bug #15300: Fixed "Cannot read property 'style' of undefined" error at the error screen (vitorarantes) - Enh #15426: Added abilitiy to create and drop database views (igravity, vladis84)
framework/log/Dispatcher.php+1 −1 modified@@ -190,7 +190,7 @@ public function dispatch($messages, $final) } catch (\Exception $e) { $target->enabled = false; $targetErrors[] = [ - 'Unable to send log via ' . get_class($target) . ': ' . ErrorHandler::convertExceptionToString($e), + 'Unable to send log via ' . get_class($target) . ': ' . ErrorHandler::convertExceptionToVerboseString($e), Logger::LEVEL_WARNING, __METHOD__, microtime(true),
framework/views/errorHandler/exception.php+0 −1 modified@@ -17,7 +17,6 @@ if ($exception instanceof \yii\web\HttpException) { echo (int) $exception->statusCode . ' ' . $handler->htmlEncode($name); } else { - $name = $handler->getExceptionName($exception); if ($name !== null) { echo $handler->htmlEncode($name . ' – ' . get_class($exception)); } else {
tests/framework/log/DispatcherTest.php+27 −7 modified@@ -203,13 +203,33 @@ public function testDispatchWithFakeTarget2ThrowExceptionWhenCollect() ->withConsecutive( [$this->equalTo('messages'), $this->equalTo(true)], [ - [[ - 'Unable to send log via ' . get_class($target1) . ': Exception: some error', - Logger::LEVEL_WARNING, - 'yii\log\Dispatcher::dispatch', - 'time data', - [], - ]], + $this->callback(function($arg) use ($target1) { + if (!isset($arg[0][0], $arg[0][1], $arg[0][2], $arg[0][3])) { + return false; + } + + if (strpos($arg[0][0], 'Unable to send log via ' . get_class($target1) . ': Exception (Exception) \'yii\base\UserException\' with message \'some error\'') !== 0) { + return false; + } + + if ($arg[0][1] !== Logger::LEVEL_WARNING) { + return false; + } + + if ($arg[0][2] !== 'yii\log\Dispatcher::dispatch') { + return false; + } + + if ($arg[0][3] !== 'time data') { + return false; + } + + if ($arg[0][4] !== []) { + return false; + } + + return true; + }), true, ] );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8gfq-c54m-3rf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-6010ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2018-6010.yamlghsaWEB
- github.com/yiisoft/yii2/commit/6b0be47e0fa9c532e03b07b4369050582fcf5c7aghsax_refsource_MISCWEB
- github.com/yiisoft/yii2/issues/14711ghsax_refsource_MISCWEB
- github.com/yiisoft/yii2/pull/15534ghsax_refsource_CONFIRMWEB
- www.yiiframework.com/news/165/yii-2-0-14-is-releasedghsaWEB
News mentions
0No linked articles in our index yet.