High severityNVD Advisory· Published Sep 15, 2020· Updated Aug 4, 2024
Unsafe deserialization in Yii 2
CVE-2020-15148
Description
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2Packagist | < 2.0.38 | 2.0.38 |
Affected products
2- Range: < 2.0.38
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-699q-wcff-g9mjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15148ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yamlghsaWEB
- github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99ghsax_refsource_MISCWEB
- github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mjghsax_refsource_CONFIRMWEB
- www.yiiframework.com/news/303/yii-2-0-38ghsaWEB
News mentions
0No linked articles in our index yet.