Description
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.
References (4)
Core 4
Core References
Issue Tracking x_refsource_confirm
https://github.com/yiisoft/yii2/pull/13401
Release Notes, Vendor Advisory x_refsource_confirm
http://www.yiiframework.com/news/123/yii-2-0-11-is-released/
Patch x_refsource_confirm
https://github.com/yiisoft/yii2/commit/97171a0db7cda0a49931ee0c3b998ef50bd06756
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97167
Scores
CVSS v3
6.1
EPSS
0.0029
EPSS Percentile
51.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
yii_software/yii
< 2.0.10
yiisoft/yii2
0 - 2.0.11Packagist
Published
Mar 27, 2017
Tracked Since
Feb 18, 2026