Описание
yiisoft/yii deserializing untrusted user input can lead to remote code execution
Impact
Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.
Patches
Upgrade yiisoft/yii to version 1.1.29 or higher.
For more information
See the following links for more details:
If you have any questions or comments about this advisory, contact us through security form.
Пакеты
yiisoft/yii
< 1.1.29
1.1.29
Связанные уязвимости
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Yii is an open source PHP web framework. yiisoft/yii before version 1. ...