High severityNVD Advisory· Published Nov 14, 2023· Updated Aug 14, 2024
Unsafe deserialization of user data in yiisoft/yii
CVE-2023-47130
Description
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yiiPackagist | < 1.1.29 | 1.1.29 |
Affected products
2- yiisoft/yiiv5Range: < 1.1.29
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-mw2w-2hj2-fg8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-47130ghsaADVISORY
- github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06ghsax_refsource_MISCWEB
- github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8qghsax_refsource_CONFIRMWEB
- owasp.org/www-community/vulnerabilities/PHP_Object_Injectionghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.