Cross-Origin Resource Sharing Misconfiguration in Yii Framework by Yii Software
CVE-2018-20745

5.9MEDIUM

Key Information:

Vendor: Yiiframework
Status: Yii
Vendor: CVE Published:; 28 January 2019

What is CVE-2018-20745?

The Yii Framework versions up to 2.0.15.1 demonstrate a significant security flaw where a wildcard CORS policy allows the conversion of arbitrary Origin header values. This alteration undermines the intended CORS security model, potentially allowing attackers to execute cross-origin requests that compromise sensitive data or application integrity. This vulnerability highlights the importance of precise configurations of CORS to maintain robust web application security.

References

https://www.usenix.org/system/files/conference/usenixsecu...

x_refsource_MISC

https://github.com/yiisoft/yii2/issues/16193

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jan 28, 2019

Yiiframework

What is CVE-2018-20745?

References

CVSS V3.1

Timeline