CVE-2023-47130

2023-11-1421:15:11

CWE-502

[email protected]

web.nvd.nist.gov

yii

php

web framework

cve-2023-47130

rce

remote code execution

vulnerability

upgrade

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.0%

JSON

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

yiisoftyiiRange<1.1.29

CPENameOperatorVersion
yiiframework:yiiyiiframework yiilt1.1.29

CPE	Name	Operator	Version
yiiframework:yii	yiiframework yii	lt	1.1.29

CNA Affected

[
  {
    "vendor": "yiisoft",
    "product": "yii",
    "versions": [
      {
        "version": "< 1.1.29",
        "status": "affected"
      }
    ]
  }
]