Packagist (Composer) package
yiisoft/yii2-dev
pkg:composer/yiisoft/yii2-dev
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-2689 | — | <= 2.0.45 | — | Mar 24, 2025 | A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remot | ||
| CVE-2021-3692 | — | < 2.0.43 | 2.0.43 | Aug 10, 2021 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | ||
| CVE-2021-3689 | — | < 2.0.43 | 2.0.43 | Aug 10, 2021 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | ||
| CVE-2018-8074 | Hig | 8.1 | >= 2.0.0, < 2.0.15 | 2.0.15 | Mar 21, 2018 | Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | |
| CVE-2018-7269 | Cri | 9.8 | < 2.0.12.1 | 2.0.12.1 | Mar 21, 2018 | The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | |
| CVE-2018-6009 | Hig | 8.8 | >= 2.0, < 2.0.14 | 2.0.14 | Jan 22, 2018 | In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity. | |
| CVE-2017-11516 | Med | 6.1 | >= 2.0.12, < 2.0.13 | 2.0.13 | Jul 21, 2017 | An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled. |
- CVE-2025-2689Mar 24, 2025affected <= 2.0.45
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remot
- CVE-2021-3692Aug 10, 2021affected < 2.0.43fixed 2.0.43
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
- CVE-2021-3689Aug 10, 2021affected < 2.0.43fixed 2.0.43
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
- affected >= 2.0.0, < 2.0.15fixed 2.0.15
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
- affected < 2.0.12.1fixed 2.0.12.1
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
- affected >= 2.0, < 2.0.14fixed 2.0.14
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
- affected >= 2.0.12, < 2.0.13fixed 2.0.13
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.