What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2018-6009.

What is the severity of CVE-2018-6009?

CVE-2018-6009 has a severity value of 8.8 (high).

CVE-2018-6009 affects Yii Framework versions up to and including 2.0.14.

The switchIdentity() function in yii\web\User does not regenerate the CSRF token upon a change of identity, which introduces the vulnerability.

To fix CVE-2018-6009, upgrade to Yii Framework version 2.0.14 or higher.

8.8

CWE

352

13/1/2018

22/1/2018

5/8/2024

First published: Sat Jan 13 2018(Updated: )

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.

Credit: cve@mitre.org cve@mitre.org

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2018-6009.
What is the severity of CVE-2018-6009?
CVE-2018-6009 has a severity value of 8.8 (high).
What software versions are affected by CVE-2018-6009?
CVE-2018-6009 affects Yii Framework versions up to and including 2.0.14.
How does the switchIdentity() function in yii\web\User introduce the vulnerability?
The switchIdentity() function in yii\web\User does not regenerate the CSRF token upon a change of identity, which introduces the vulnerability.
How can I fix CVE-2018-6009?
To fix CVE-2018-6009, upgrade to Yii Framework version 2.0.14 or higher.