Headline
CVE-2022-34297: CVE-2022-34297
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
[Suggested description]
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
Yii Software
------------------------------------------
[Affected Product Code Base]
Gii - <=2.2.4
------------------------------------------
[Affected Component]
affected web application page
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client’s browser.
------------------------------------------
[Reference]
https://github.com/yiisoft/yii2-gii
https://www.yiiframework.com/doc/guide/2.0/en/start-gii
------------------------------------------
[Discoverer]
Boris Kovalkov, security researcher at SolidLab Ltd.