VYPR
← All advisories
Moderate severityNVD Advisory· Published May 30, 2024· Updated Aug 2, 2024

Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

CVE-2024-32877

Description

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the mechanism for displaying function argument values in the stack trace. The vulnerability manifests when an argument's value exceeds 32 characters. For convenience, argument values exceeding this limit are truncated and displayed with an added "...". The full argument value becomes visible when hovering over it with the mouse, as it is displayed in the title attribute of a span tag. However, the use of a double quote (") allows an attacker to break out of the title attribute's value context and inject their own attributes into the span tag, including malicious JavaScript code through event handlers such as onmousemove. This vulnerability allows an attacker to execute arbitrary JavaScript code in the security context of the victim's site via a specially crafted link. This could lead to the theft of cookies (including httpOnly cookies, which are accessible on the page), content substitution, or complete takeover of user accounts. This issue has been addressed in version 2.0.50. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Yii2 2.0.49.3 has a Reflected XSS in debug mode stack trace due to insufficient HTML encoding of long argument values.

Vulnerability

Description

CVE-2024-32877 is a Reflected Cross-site Scripting (XSS) vulnerability in the Yii2 PHP framework, affecting version 2.0.49.3 and earlier. The flaw resides in the htmlEncode function within framework/web/ErrorHandler.php, which is used to display stack traces when debug mode is enabled (YII_DEBUG=true) and an exception occurs. Specifically, when a function argument's value exceeds 32 characters, it is truncated with an appended "...". The full value is placed in the title attribute of a ` tag, visible on hover. However, because the encoding used ENT_NOQUOTES, double quote characters (") were not escaped, allowing an attacker to break out of the title attribute and inject arbitrary HTML attributes, including event handlers like onmousemove` [2][3].

Exploitation

Conditions

To exploit this vulnerability, three conditions must be met: the framework must be in debug mode (YII_DEBUG=true), the PHP setting zend.exception_ignore_args must be off (default), and an attacker must induce an exception in the application that reflects a crafted argument value in the stack trace. A proof-of-concept URL demonstrates injection via a long parameter containing %22 (double quote) and an onmousemove event handler [3]. No authentication is required; the attack can be performed by tricking a victim into visiting a specially crafted link [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the affected site. This can lead to theft of cookies (including httpOnly cookies, which are accessible on the page), content substitution, or complete account takeover [2][3].

Mitigation

The issue has been addressed in Yii2 version 2.0.49.4 (later 2.0.50) by changing htmlspecialchars to use ENT_QUOTES instead of ENT_NOQUOTES, ensuring proper encoding of both single and double quotes [1][4]. No workarounds are available, and users are strongly advised to upgrade to a patched version [2].

References
  1. yii2/framework/CHANGELOG.md at 2.0.49.x · yiisoft/yii2
  2. NVD - CVE-2024-32877
  3. Reflected XSS in Debug mode
  4. CVE-2024-32877, Fix Reflected XSS in Debug mode, CVE-2024-4990, Fix U… · yiisoft/yii2@62d081f

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
yiisoft/yii2Packagist
>= 2.0.43, < 2.0.49.42.0.49.4

Affected products

2

Patches

3
62d081f18c36

CVE-2024-32877, Fix Reflected XSS in Debug mode, CVE-2024-4990, Fix Unsafe Reflection in base Component class

https://github.com/yiisoft/yii2Robert KorulczykJun 4, 2024via ghsa
commit
4 files changed · +21 6
  • framework/base/Component.php+9 1 modified
    @@ -188,7 +188,15 @@ public function __set($name, $value)
         } elseif (strncmp($name, 'as ', 3) === 0) {
             // as behavior: attach behavior
             $name = trim(substr($name, 3));
-            $this->attachBehavior($name, $value instanceof Behavior ? $value : Yii::createObject($value));
+            if ($value instanceof Behavior) {
+                $this->attachBehavior($name, $value);
+            } elseif (isset($value['class']) && is_subclass_of($value['class'], 'yii\base\Behavior', true)) {
+                $this->attachBehavior($name, Yii::createObject($value));
+            } elseif (is_string($value) && is_subclass_of($value, 'yii\base\Behavior', true)) {
+                $this->attachBehavior($name, Yii::createObject($value));
+            } else {
+                throw new InvalidConfigException('Class is not of type yii\base\Behavior or its subclasses');
+            }
 
             return;
         }
  • framework/CHANGELOG.md+7 0 modified
    @@ -1,6 +1,13 @@
 Yii Framework 2 Change Log
 ==========================
 
+2.0.49.4 June 4, 2024
+---------------------
+
+- Bug: CVE-2024-32877, Fix Reflected XSS in Debug mode (Antiphishing)
+- Bug: CVE-2024-4990, Fix Unsafe Reflection in base Component class (@mtangoo)
+
+
 2.0.49.3 October 31, 2023
 -------------------------
  • framework/web/ErrorHandler.php+1 1 modified
    @@ -180,7 +180,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+        return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**
  • tests/framework/web/ErrorHandlerTest.php+4 4 modified
    @@ -85,19 +85,19 @@ public function dataHtmlEncode()
         return [
             [
                 "a \t=<>&\"'\x80`\n",
-                "a \t=&lt;&gt;&amp;\"'�`\n",
+                "a \t=&lt;&gt;&amp;&quot;&apos;�`\n",
             ],
             [
                 '<b>test</b>',
                 '&lt;b&gt;test&lt;/b&gt;',
             ],
             [
                 '"hello"',
-                '"hello"',
+                '&quot;hello&quot;',
             ],
             [
                 "'hello world'",
-                "'hello world'",
+                "&apos;hello world&apos;",
             ],
             [
                 'Chip&amp;Dale',
@@ -130,7 +130,7 @@ public function testHtmlEncodeWithUnicodeSequence()
         $handler = Yii::$app->getErrorHandler();
 
         $text = "a \t=<>&\"'\x80\u{20bd}`\u{000a}\u{000c}\u{0000}";
-        $expected = "a \t=&lt;&gt;&amp;\"'�₽`\n\u{000c}\u{0000}";
+        $expected = "a \t=&lt;&gt;&amp;&quot;&apos;�₽`\n\u{000c}\u{0000}";
 
         $this->assertSame($expected, $handler->htmlEncode($text));
     }
f7baab16e79f

Merge pull request from GHSA-qg5r-95m4-mjgj

https://github.com/yiisoft/yii2Start XMay 30, 2024via ghsa
commit
2 files changed · +2 1
  • framework/CHANGELOG.md+1 0 modified
    @@ -27,6 +27,7 @@ Yii Framework 2 Change Log
 - New #20137: Added `yii\caching\CallbackDependency` to allow using a callback to determine if a cache dependency is still valid (laxity7)
 - Enh #20134: Raise minimum `PHP` version to `7.3` (@terabytesoftw)
 - Bug #20141: Update `ezyang/htmlpurifier` dependency to version `4.17` (@terabytesoftw)
+- CVE-2024-32877: Fixed Reflected XSS in Debug mode (Antiphishing)
 - CVE-2024-4990: Fix Unsafe Reflection in base Component class (@mtangoo)
 - Bug #19817: Add MySQL Query `addCheck()` and `dropCheck()` (@bobonov)
 - Bug #20165: Adjust pretty name of closures for PHP 8.4 compatibility (@staabm)
  • framework/web/ErrorHandler.php+1 1 modified
    @@ -181,7 +181,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
+        return htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**
8cc9aeb2f0b2

Fix #18749: Fix `yii\web\ErrorHandler::encodeHtml()` to support strings with invalid UTF symbols

https://github.com/yiisoft/yii2Sergei PredvoditelevJul 6, 2021via ghsa
commit
3 files changed · +57 1
  • framework/CHANGELOG.md+1 0 modified
    @@ -6,6 +6,7 @@ Yii Framework 2 Change Log
 
 - Bug #14663: Do not convert int to string if database type of a column is numeric (egorrishe)
 - Bug #18650: Refactor `framework/assets/yii.activeForm.js` arrow function into traditional function for IE11 compatibility (marcovtwout)
+- Bug #18749: Fix `yii\web\ErrorHandler::encodeHtml()` to support strings with invalid UTF symbols (vjik)
 - Enh #18724: Allow jQuery 3.6 to be installed (marcovtwout)
 - Enh #18628: Added strings "software", and "hardware" to `$specials` array in `yii\helpers\BaseInflector` (kjusupov)
 - Enh #18653: Added method `yii\helpers\BaseHtml::getInputIdByName()` (WinterSilence)
  • framework/web/ErrorHandler.php+1 1 modified
    @@ -180,7 +180,7 @@ protected function convertExceptionToArray($exception)
      */
     public function htmlEncode($text)
     {
-        return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
+        return htmlspecialchars($text, ENT_NOQUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
     }
 
     /**
  • tests/framework/web/ErrorHandlerTest.php+55 0 modified
    @@ -79,6 +79,61 @@ public function testRenderCallStackItem()
 
         $this->assertContains('<a href="netbeans://open?file=' . $file . '&line=63">', $out);
     }
+
+    public function dataHtmlEncode()
+    {
+        return [
+            [
+                "a \t=<>&\"'\x80`\n",
+                "a \t=&lt;&gt;&amp;\"'�`\n",
+            ],
+            [
+                '<b>test</b>',
+                '&lt;b&gt;test&lt;/b&gt;',
+            ],
+            [
+                '"hello"',
+                '"hello"',
+            ],
+            [
+                "'hello world'",
+                "'hello world'",
+            ],
+            [
+                'Chip&amp;Dale',
+                'Chip&amp;amp;Dale',
+            ],
+            [
+                "\t\$x=24;",
+                "\t\$x=24;",
+            ],
+        ];
+    }
+
+    /**
+     * @dataProvider dataHtmlEncode
+     */
+    public function testHtmlEncode($text, $expected)
+    {
+        $handler = Yii::$app->getErrorHandler();
+
+        $this->assertSame($expected, $handler->htmlEncode($text));
+    }
+
+    public function testHtmlEncodeWithUnicodeSequence()
+    {
+        if (PHP_VERSION_ID < 70000) {
+            $this->markTestSkipped('Can not be tested on PHP < 7.0');
+            return;
+        }
+
+        $handler = Yii::$app->getErrorHandler();
+
+        $text = "a \t=<>&\"'\x80\u{20bd}`\u{000a}\u{000c}\u{0000}";
+        $expected = "a \t=&lt;&gt;&amp;\"'�₽`\n\u{000c}\u{0000}";
+
+        $this->assertSame($expected, $handler->htmlEncode($text));
+    }
 }
 
 class ErrorHandler extends \yii\web\ErrorHandler

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.