yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input
CVE-2022-41922

8.1HIGH

Key Information:

Vendor: Yiisoft
Status: Yii
Vendor: CVE Published:; 23 November 2022

What is CVE-2022-41922?

yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. This has been patched in 1.1.27.

Affected Version(s)

yii < 1.1.27

References

https://github.com/yiisoft/yii/security/advisories/GHSA-4...

https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 23, 2022
Vulnerability Reserved
Sep 30, 2022

Yiisoft

What is CVE-2022-41922?

Affected Version(s)

References

CVSS V3.1

Timeline