Vulnerability Description
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
CVSS Score
8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yiiframework | Gii | < 2.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/yiisoft/yii2-gii/issues/433ExploitIssue TrackingThird Party Advisory
- https://lab.wallarm.com/yii2-gii-remote-code-execution/ExploitMitigationThird Party Advisory
- https://github.com/yiisoft/yii2-gii/issues/433ExploitIssue TrackingThird Party Advisory
- https://lab.wallarm.com/yii2-gii-remote-code-execution/ExploitMitigationThird Party Advisory
FAQ
What is CVE-2020-36655?
CVE-2020-36655 is a vulnerability with a CVSS score of 8.8 (HIGH). Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
How severe is CVE-2020-36655?
CVE-2020-36655 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36655?
Check the references section above for vendor advisories and patch information. Affected products include: Yiiframework Gii.