Headline
CVE-2023-47130: Prevent RCE when deserializing untrusted user input
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
High
marcovtwout published GHSA-mw2w-2hj2-fg8q
Nov 14, 2023
Package
composer yiisoft/yii (Composer)
Affected versions
<1.1.29
Patched versions
1.1.29
Description
Impact
Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.
Patches
Upgrade yiisoft/yii to version 1.1.29 or higher.
For more information
See the following links for more details:
- Git commit
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, contact us through security form.
Severity
High
8.1
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID
CVE-2023-47130
Weaknesses
CWE-502
Credits
- ma4ter222 Reporter
Related news
### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.29 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).