Vulnerability Description
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yiiframework | Yii | < 1.1.29 |
Related Weaknesses (CWE)
References
- https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06Patch
- https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8qPatch
- https://owasp.org/www-community/vulnerabilities/PHP_Object_InjectionThird Party Advisory
- https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06Patch
- https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8qPatch
- https://owasp.org/www-community/vulnerabilities/PHP_Object_InjectionThird Party Advisory
FAQ
What is CVE-2023-47130?
CVE-2023-47130 is a vulnerability with a CVSS score of 8.1 (HIGH). Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker m...
How severe is CVE-2023-47130?
CVE-2023-47130 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-47130?
Check the references section above for vendor advisories and patch information. Affected products include: Yiiframework Yii.