GHSA-3mpg-q26j-83j5

Source

https://github.com/advisories/GHSA-3mpg-q26j-83j5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-3mpg-q26j-83j5/GHSA-3mpg-q26j-83j5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3mpg-q26j-83j5

Aliases

CVE-2020-36655

Published

2023-01-21T03:30:28Z

Modified

2025-04-02T22:49:48.996342Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Command injection in yiisoft/yii2-gii

Details

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2023-01-23T20:42:57Z",
    "nvd_published_at": "2023-01-21T01:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Packagist / yiisoft/yii2-gii

Package

Name: yiisoft/yii2-gii
Purl: pkg:composer/yiisoft/yii2-gii

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.2

Affected versions

2.*

2.0.0-alpha

2.0.0-beta

2.0.0-rc

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-3mpg-q26j-83j5/GHSA-3mpg-q26j-83j5.json"