First published: Tue Nov 14 2023(Updated: )
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.29 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/yiisoft/yii | <1.1.29 | 1.1.29 |
Yiiframework Yii | <1.1.29 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-47130 allows Remote Code Execution (RCE) if the application calls 'unserialize()' on arbitrary user input.
To fix CVE-2023-47130, upgrade 'yiisoft/yii' to version 1.1.29 or higher.
You can find more information about CVE-2023-47130 in the following links: [GitHub Advisory](https://github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q), [GitHub Commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06), [OWASP PHP Object Injection](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection).
The severity of CVE-2023-47130 is high with a CVSS score of 8.1.
The CWE of CVE-2023-47130 is CWE-502 (Deserialization of Untrusted Data).