Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mw2w-2hj2-fg8q: yiisoft/yii deserializing untrusted user input can lead to remote code execution

Impact

Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.

Patches

Upgrade yiisoft/yii to version 1.1.29 or higher.

For more information

See the following links for more details:

  • Git commit
  • https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

If you have any questions or comments about this advisory, contact us through security form.

ghsa
Open in Source
#vulnerability#git#php#rce

yiisoft/yii deserializing untrusted user input can lead to remote code execution

High severity GitHub Reviewed Published Nov 14, 2023 in yiisoft/yii • Updated Nov 14, 2023

Related news

CVE-2023-47130: Prevent RCE when deserializing untrusted user input

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

ghsa: Latest News

GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php
ghsa