First published: Tue Nov 14 2023(Updated: )
### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.29 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/yiisoft/yii | <1.1.29 | 1.1.29 |
Yii Framework | <1.1.29 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-47130 allows Remote Code Execution (RCE) if the application calls 'unserialize()' on arbitrary user input.
To fix CVE-2023-47130, upgrade 'yiisoft/yii' to version 1.1.29 or higher.
You can find more information about CVE-2023-47130 in the following links: [GitHub Advisory](https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q), [GitHub Commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06), [OWASP PHP Object Injection](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection).
The severity of CVE-2023-47130 is high with a CVSS score of 8.1.
The CWE of CVE-2023-47130 is CWE-502 (Deserialization of Untrusted Data).