Vulnerabilities > Yiiframework
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-21 | CVE-2020-36655 | Code Injection vulnerability in Yiiframework GII Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. | 8.8 |
| 2022-12-09 | CVE-2022-34297 | Cross-site Scripting vulnerability in Yiiframework GII Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | 5.4 |
| 2022-11-23 | CVE-2022-41922 | Unspecified vulnerability in Yiiframework YII `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. | 9.8 |
| 2021-08-10 | CVE-2021-3692 | Use of Insufficiently Random Values vulnerability in Yiiframework YII yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | 5.3 |
| 2021-08-10 | CVE-2021-3689 | Use of Insufficiently Random Values vulnerability in Yiiframework YII yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | 7.5 |
| 2020-09-15 | CVE-2020-15148 | Unspecified vulnerability in Yiiframework YII Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. | 10.0 |
| 2019-01-28 | CVE-2018-20745 | Origin Validation Error vulnerability in Yiiframework YII Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | 5.9 |
| 2018-03-21 | CVE-2018-8074 | Code Injection vulnerability in Yiiframework YII Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | 8.1 |
| 2018-03-21 | CVE-2018-8073 | Code Injection vulnerability in Yiiframework YII Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | 9.8 |
| 2018-03-21 | CVE-2018-7269 | SQL Injection vulnerability in Yiiframework YII The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | 9.8 |