CVE-2023-47130
published 2023-11-14CVE-2023-47130: Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.15%
86.3th percentile
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yiiframework | yii | < 1.1.29 | 1.1.29 |
| yiisoft | yii | < 1.1.29 | 1.1.29 |
| yiisoft | yii | >= 0 < 1.1.29 | 1.1.29 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
yiisoft/yii deserializing untrusted user input can lead to remote code execution
ghsa·2023-11-14
CVE-2023-47130 [HIGH] CWE-502 yiisoft/yii deserializing untrusted user input can lead to remote code execution
yiisoft/yii deserializing untrusted user input can lead to remote code execution
### Impact
Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input.
### Patches
Upgrade `yiisoft/yii` to version 1.1.29 or higher.
### For more information
See the following links for more details:
- [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06)
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
OSV
yiisoft/yii deserializing untrusted user input can lead to remote code execution
osv·2023-11-14
CVE-2023-47130 [HIGH] yiisoft/yii deserializing untrusted user input can lead to remote code execution
yiisoft/yii deserializing untrusted user input can lead to remote code execution
### Impact
Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input.
### Patches
Upgrade `yiisoft/yii` to version 1.1.29 or higher.
### For more information
See the following links for more details:
- [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06)
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8qhttps://owasp.org/www-community/vulnerabilities/PHP_Object_Injectionhttps://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8qhttps://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
2023-11-14
Published