CVE-2020-15148
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
15/09/2020
Last modified:
17/06/2026
Description
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
Impact
Base Score 3.x
8.90
Severity 3.x
HIGH
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:yiiframework:yii:*:*:*:*:*:*:*:* | 2.0.38 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
- https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
- https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
- https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj



