Search for packages
| purl | pkg:composer/yiisoft/yii2-dev@2.0.12 |
| Next non-vulnerable version | 3.0.0-alpha1 |
| Latest non-vulnerable version | 3.0.0-alpha1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4xj7-j7qz-2kd2
Aliases: CVE-2018-6010 GHSA-8gfq-c54m-3rf6 |
Information disclosure Remote attackers can obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode. |
Affected by 8 other vulnerabilities. |
|
VCID-6rub-m94d-jfct
Aliases: CVE-2021-3689 GHSA-hq3v-rg6f-6hx4 |
Use of Insufficiently Random Values yii2 is vulnerable to use of predictable algorithm in a random number generator |
Affected by 2 other vulnerabilities. |
|
VCID-gb9u-t143-vker
Aliases: CVE-2021-3692 GHSA-wwvv-x5mq-h3jj |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator |
Affected by 2 other vulnerabilities. |
|
VCID-gwmb-kcz9-d7b9
Aliases: CVE-2020-15148 GHSA-699q-wcff-g9mj |
Deserialization of Untrusted Data Yii 2 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. |
Affected by 4 other vulnerabilities. |
|
VCID-jkfv-pxp7-9qba
Aliases: CVE-2018-8073 GHSA-4hx3-m8w5-g5qh |
Remote code execution Redis extension of Yii 2 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack. |
Affected by 6 other vulnerabilities. |
|
VCID-v3nu-bzav-vfc8
Aliases: CVE-2017-11516 GHSA-4c64-w8fg-xcq2 |
Cross-site Scripting An XSS vulnerability exists in `framework/views/errorHandler/exception`. |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-vf2s-s6dr-nqhf
Aliases: CVE-2018-20745 GHSA-cr6r-6xm9-ww22 |
Origin Validation Error Yii actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vhy5-48ge-vyat
Aliases: CVE-2018-8074 GHSA-m2p5-fwp2-qcw2 |
Code Injection Yii allows remote attackers to inject unintended search conditions. |
Affected by 6 other vulnerabilities. |
|
VCID-x388-wd41-tkh3
Aliases: CVE-2025-2689 GHSA-88m2-j94x-v4fx |
yiisoft Yii2 Deserialization of Untrusted Data A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator.php. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. |
Affected by 1 other vulnerability. |
|
VCID-x788-tu9q-byfu
Aliases: CVE-2018-6009 GHSA-cwhm-272p-3wj9 |
CSRF vulnerability in switchIdentiy The `switchIdentity()` function in `web/User.php` did not regenerate the CSRF token upon a change of identity. |
Affected by 8 other vulnerabilities. |
|
VCID-xrgb-33bd-ckat
Aliases: CVE-2023-26750 GHSA-gq63-p39p-jrjf |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. |
Affected by 0 other vulnerabilities. |
|
VCID-y165-fy8y-2fcc
Aliases: CVE-2018-7269 GHSA-hhg2-g6h6-c266 |
The `findByCondition` function in `framework/db/ActiveRecord.php` allows remote attackers to conduct SQL injection attacks via a `findOne()` or `findAll()à call, unless a developer recognizes an undocumented need to sanitize array input. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||