CVE-2022-34297
Description
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yii2 Gii through 2.2.4 suffers from stored cross-site scripting (XSS) due to unsanitized caching of user input in multiple generator form fields.
Vulnerability
Analysis
CVE-2022-34297 describes a stored cross-site scripting (XSS) vulnerability in the Yii2 Gii code generation module through version 2.2.4 [1][2]. The root cause is missing sanitization of user-supplied values in fields such as "Message Category" (when I18N is enabled in the Model, CRUD, or Form generators), "Author Name" in the Extension Generator, and similar input fields. When a user submits a preview request, the module caches the entered content without any output encoding or validation [2].
Exploitation
Prerequisites
An attacker must have network access to a Gii instance (typically on a development server) and be able to interact with the web interface [1]. By default, access to Gii is restricted to localhost and configurable IP ranges, so the attacker likely needs to be on an allowed network or trick an authorized user [1]. The attack does not require authentication if access is open, though in practice Gii should be protected. The attacker injects malicious JavaScript into one of the vulnerable fields and triggers preview caching; on subsequent visits to the same generator page, the payload executes in the browser of any user who views the cached content [2].
Impact
Successful exploitation leads to persistent execution of arbitrary JavaScript in the context of the Gii application. An attacker can steal session cookies, perform actions on behalf of the victim, deface pages, or redirect to phishing sites [2]. Because Gii is a development tool used by administrators and developers, the impact can be amplified if the XSS is used to leak credentials or modify generated code.
Mitigation
The vulnerability is present in Gii versions up to and including 2.2.4. Users should upgrade to a patched version (if available) or restrict access to Gii (e.g., only allow localhost, use VPN/host-based firewalls) [1][3]. As of the published date (December 2022), no official patch was referenced; the vendor, Yii Software, has since addressed the issue in later releases. Affected instances should be audited for exploitation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2-giiPackagist | <= 2.2.4 | — |
Affected products
3- Yii/Yii2description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.