8.8

CVE-2018-6009

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.

Data is provided by the National Vulnerability Database (NVD)
YiiframeworkYiiframework Version2.0.0
YiiframeworkYiiframework Version2.0.0 Updatealpha
YiiframeworkYiiframework Version2.0.0 Updatebeta
YiiframeworkYiiframework Version2.0.0 Updaterc
YiiframeworkYiiframework Version2.0.1
YiiframeworkYiiframework Version2.0.2
YiiframeworkYiiframework Version2.0.3
YiiframeworkYiiframework Version2.0.4
YiiframeworkYiiframework Version2.0.5
YiiframeworkYiiframework Version2.0.6
YiiframeworkYiiframework Version2.0.7
YiiframeworkYiiframework Version2.0.8
YiiframeworkYiiframework Version2.0.9
YiiframeworkYiiframework Version2.0.10
YiiframeworkYiiframework Version2.0.11
YiiframeworkYiiframework Version2.0.11.1
YiiframeworkYiiframework Version2.0.11.2
YiiframeworkYiiframework Version2.0.12
YiiframeworkYiiframework Version2.0.13
YiiframeworkYiiframework Version2.0.13.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.17% 0.385
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.