GHSA-x87m-36g7-6mpw

Source

https://github.com/advisories/GHSA-x87m-36g7-6mpw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-x87m-36g7-6mpw/GHSA-x87m-36g7-6mpw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x87m-36g7-6mpw

Aliases

CVE-2022-34297

Published

2022-12-10T00:30:17Z

Modified

2023-11-08T04:09:45.458830Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Yii2 Gii Cross-site Scripting vulnerability

Details

Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser.

Database specific

{
    "nvd_published_at": "2022-12-09T22:15:00Z",
    "github_reviewed_at": "2022-12-13T13:50:43Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / yiisoft/yii2-gii

Package

Name: yiisoft/yii2-gii
Purl: pkg:composer/yiisoft/yii2-gii

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.2.4

Affected versions

2.*

2.0.0-alpha

2.0.0-beta

2.0.0-rc

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4