CVE-2022-41922
published 2022-11-23CVE-2022-41922: `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.13%
62.4th percentile
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yiiframework | yii | < 1.1.27 | 1.1.27 |
| yiisoft | yii | < 1.1.27 | 1.1.27 |
| yiisoft | yii | >= 0 < 1.1.27 | 1.1.27 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Prevent RCE when deserializing untrusted user input
osv·2022-11-21
CVE-2022-41922 [HIGH] Prevent RCE when deserializing untrusted user input
Prevent RCE when deserializing untrusted user input
### Impact
Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input.
### Patches
Upgrade `yiisoft/yii` to version 1.1.27 or higher.
### For more information
See the following links for more details:
- [Git commit](https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52)
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
GHSA
Prevent RCE when deserializing untrusted user input
ghsa·2022-11-21
CVE-2022-41922 [HIGH] CWE-502 Prevent RCE when deserializing untrusted user input
Prevent RCE when deserializing untrusted user input
### Impact
Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input.
### Patches
Upgrade `yiisoft/yii` to version 1.1.27 or higher.
### For more information
See the following links for more details:
- [Git commit](https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52)
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-11-23
Published