Unsafe deserialization of user data in yiisoft/yii
CVE-2023-47130

8.1HIGH

Key Information:

Vendor: Yiisoft
Status: Yii
Vendor: CVE Published:; 14 November 2023

What is CVE-2023-47130?

Yii is a renowned open source PHP web framework, widely used for developing web applications. A critical vulnerability exists in Yii versions prior to 1.1.29, where the framework improperly handles the unserialize() function when it processes arbitrary user input. This flaw could be exploited by an attacker to execute arbitrary code on the server, leading to complete system compromise. It is crucial for users of affected versions to upgrade to 1.1.29 or later, as there are no viable workarounds to mitigate this risk.

Affected Version(s)

yii < 1.1.29

References

https://github.com/yiisoft/yii/security/advisories/GHSA-m...

x_refsource_CONFIRM

https://github.com/yiisoft/yii/commit/37142be4dc5831114a3...

x_refsource_MISC

https://owasp.org/www-community/vulnerabilities/PHP_Objec...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Oct 30, 2023

Yiisoft

What is CVE-2023-47130?

Affected Version(s)

References

CVSS V3.1

Timeline