Yiiframework

Yii

19 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2025-32027

  • EPSS 0.03%
  • Veröffentlicht 10.04.2025 14:32:31
  • Zuletzt bearbeitet 17.09.2025 18:30:17

Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.

9.8

CVE-2024-58136

Warnung Exploit
  • EPSS 83.06%
  • Veröffentlicht 10.04.2025 00:00:00
  • Zuletzt bearbeitet 30.07.2025 19:24:34

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

9.8

CVE-2025-2690

Exploit
  • EPSS 0.07%
  • Veröffentlicht 24.03.2025 07:31:04
  • Zuletzt bearbeitet 24.03.2025 17:15:40

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Generate of the file phpunit\src\Framework\MockObject\MockClass.php. The manipulation leads to deserialization. It is possible to ini...

9.8

CVE-2025-2689

Medienbericht Exploit
  • EPSS 0.11%
  • Veröffentlicht 24.03.2025 07:00:07
  • Zuletzt bearbeitet 24.03.2025 17:17:26

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. Th...

9.1

CVE-2024-4990

Exploit
  • EPSS 0.09%
  • Veröffentlicht 20.03.2025 10:11:14
  • Zuletzt bearbeitet 01.04.2025 20:34:07

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitra...

4.7

CVE-2024-32877

  • EPSS 2.3%
  • Veröffentlicht 30.05.2024 20:15:08
  • Zuletzt bearbeitet 22.09.2025 14:01:45

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0....

9.8

CVE-2023-47130

  • EPSS 3.26%
  • Veröffentlicht 14.11.2023 21:15:11
  • Zuletzt bearbeitet 21.11.2024 08:29:50

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the h...

9.8

CVE-2015-5467

  • EPSS 0.14%
  • Veröffentlicht 21.09.2023 06:15:10
  • Zuletzt bearbeitet 21.11.2024 02:33:03

web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

6.1

CVE-2022-31454

  • EPSS 0.08%
  • Veröffentlicht 28.07.2023 02:15:10
  • Zuletzt bearbeitet 21.11.2024 07:04:28

Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2.

9.8

CVE-2023-26750

Exploit
  • EPSS 7.67%
  • Veröffentlicht 04.04.2023 15:15:08
  • Zuletzt bearbeitet 13.02.2025 16:15:39

SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party...