CVE-2023-47130

Severity CVSS v4.0:
Pending analysis
Type:
CWE-502 Deserialization of Untrusted Dat
Publication date:
14/11/2023
Last modified:
20/11/2023

Description

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:yiiframework:yii:*:*:*:*:*:*:*:* 1.1.29 (excluding)