Base Score

CRITICAL10

CVE-2020-15148

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateSep 15, 2020, 19:15

Affected Versions(1)

yiisoft/yii2(Packagist)

Introduced0

Fixed2.0.38

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
yiisoft/yii2(Packagist)	0	2.0.38	N/A

Weakness Type (CWE):CWE-502

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

CRITICAL10

Weakness Type (CWE):CWE-502

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH