Unsafe deserialization in Yii 2
CVE-2020-15148

8.9HIGH

Key Information:

Vendor: Yiisoft
Status: Yii2
Vendor: CVE Published:; 15 September 2020

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 91%

What is CVE-2020-15148?

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Affected Version(s)

yii2 < 2.0.38

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-15148-bypasses
Created by Maskhe

cve-2020-15148
Created by 0xkami

References

https://github.com/yiisoft/yii2/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569...

x_refsource_MISC

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 27, 2020
👾
Exploit known to exist
Oct 27, 2020
Vulnerability published
Sep 15, 2020
Vulnerability Reserved
Jun 25, 2020

Yiisoft