CVE-2023-26750

Root

Cause

CVE-2023-26750 describes an SQL injection vulnerability in Yii Framework 2 prior to version 2.0.47. The flaw resides in the yiibaseController::runAction($route,$params) function, where parameters received are not properly sanitized before being passed to database queries [2][3]. This unsanitized handling allows an attacker to inject malicious SQL statements through controller action parameters.

Exploitation

An attacker can exploit this vulnerability by crafting HTTP requests that supply specially prepared parameter values to any action handled by the framework. The proof-of-concept demonstrates triggering the injection by calling yii\baseModule::runAction('PARAM0', ['VAR0' => 'INJECTION', 'VAR2' => 'PARAM2']) [2][3][4]. No authentication is required, and the attack is network-based, making it accessible to remote unauthenticated attackers.

Impact

Successful exploitation enables a remote attacker to execute arbitrary SQL statements on the underlying database. Depending on the database configuration and permissions, this could lead to data exfiltration, modification, deletion, or even full compromise of the database server. The description notes the potential for arbitrary code execution, likely through database features like xp_cmdshell or user-defined functions [1].

Mitigation

Yii Framework maintainers released version 2.0.47, which fixes the input sanitization issue. Users are strongly advised to upgrade to this version or later. The maintainer has noted that the vulnerability may originate from third-party code, but the framework itself should still be updated [1][2]. No workarounds have been published, and the CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.