Remote Information Disclosure and XSS Vulnerability in Yii Framework by YiiSoft
CVE-2018-6010

7.5HIGH

Key Information:

Vendor

Yiiframework

Status
Yiiframework
Vendor
CVE Published:
22 January 2018

What is CVE-2018-6010?

The Yii Framework version 2.x prior to 2.0.14 is susceptible to a vulnerability that permits remote attackers to access potentially sensitive information through exception messages. Additionally, it poses a risk for reflected cross-site scripting (XSS) on the error handler page when operating in non-debug mode. The underlying issues are located in the components responsible for error handling within the framework, particularly in base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php. Developers using affected versions should update to mitigate these security risks.

References

https://github.com/yiisoft/yii2/pull/15534
x_refsource_CONFIRM
https://github.com/yiisoft/yii2/commit/6b0be47e0fa9c532e0...
x_refsource_MISC
https://github.com/yiisoft/yii2/issues/14711
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-6010 : Remote Information Disclosure and XSS Vulnerability in Yii Framework by YiiSoft