CVE-2023-47130

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-47130

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-47130.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-47130

Aliases

GHSA-mw2w-2hj2-fg8q

Published

2023-11-14T20:30:16Z

Modified

2025-11-04T20:15:18.678774Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Unsafe deserialization of user data in yiisoft/yii

Details

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Git / github.com/yiisoft/yii

Affected ranges

Type

GIT

Repo

https://github.com/yiisoft/yii

Events

Introduced

Fixed

f89b76ecca1d342e346ebb9bfc1e2c589f696345

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.29"
        }
    ]
}

Affected versions

1.*

1.0a

1.0rc

1.1.0

1.1.10

1.1.11

1.1.12

1.1.13

1.1.13-RC

1.1.14

1.1.14-rc

1.1.15

1.1.16

1.1.17

1.1.18

1.1.19

1.1.20

1.1.21

1.1.22

1.1.23

1.1.24

1.1.25

1.1.26

1.1.27

1.1.28

1.1.3

1.1.4

1.1.7

1.1.8

1.1.9

1.1b

1.1rc