SQL Injection Vulnerability in Yii Framework Versions
CVE-2018-7269

9.8CRITICAL

Key Information:

Vendor: Yiiframework
Status: Yii
Vendor: CVE Published:; 21 March 2018

🔔 Create Yiiframework Vulnerability Alert

What is CVE-2018-7269?

A vulnerability exists in the findByCondition function of the Yii Framework's ActiveRecord component. This issue allows remote attackers to exploit the findOne() or findAll() methods, potentially leading to SQL injection attacks. Developers may not be aware of the undocumented requirement to sanitize array inputs properly, which increases the risk of unauthorized database access. Upgrading to Yii Framework version 2.0.15 or later is crucial to mitigate this vulnerability.

References

http://www.yiiframework.com/news/168/releasing-yii-2-0-15...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2018
Vulnerability Reserved
Feb 20, 2018