Vulnerabilities > Yiiframework > YII

DATE CVE VULNERABILITY TITLE RISK
2020-09-15 CVE-2020-15148 Unspecified vulnerability in Yiiframework YII
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.
network
low complexity
yiiframework
critical
10.0
2019-01-28 CVE-2018-20745 Origin Validation Error vulnerability in Yiiframework YII
Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
network
high complexity
yiiframework CWE-346
5.9
2018-03-21 CVE-2018-8074 Code Injection vulnerability in Yiiframework YII
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
network
high complexity
yiiframework CWE-94
8.1
2018-03-21 CVE-2018-8073 Code Injection vulnerability in Yiiframework YII
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
network
low complexity
yiiframework CWE-94
critical
9.8
2018-03-21 CVE-2018-7269 SQL Injection vulnerability in Yiiframework YII
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.
network
low complexity
yiiframework CWE-89
critical
9.8
2017-07-21 CVE-2017-11516 Cross-site Scripting vulnerability in Yiiframework YII 2.0.12
An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.
network
low complexity
yiiframework CWE-79
6.1