Vulnerabilities > CVE-2020-15148 - Deserialization of Untrusted Data vulnerability in Yiiframework YII

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
yiiframework
CWE-502
critical
NVD
Published: 2020-09-15
Updated: 2020-09-22

Summary

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Vulnerable Configurations

Part Description Count
Application
Yiiframework
52

Common Weakness Enumeration (CWE)

References