CVE-2018-6010

HIGH

Yii Framework 2.x <2.0.14 - Info Disclosure

Title source: llm

Description

In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.

References (3)

Core 3

Core References

Issue Tracking x_refsource_misc

https://github.com/yiisoft/yii2/issues/14711

Issue Tracking, Third Party Advisory x_refsource_confirm

https://github.com/yiisoft/yii2/pull/15534

Patch x_refsource_misc

https://github.com/yiisoft/yii2/commit/6b0be47e0fa9c532e03b07b4369050582fcf5c7a

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0101

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-79

Status published

Products (18)

yiiframework/yiiframework 2.0.0 (4 CPE variants)

yiiframework/yiiframework 2.0.1

yiiframework/yiiframework 2.0.2

yiiframework/yiiframework 2.0.3

yiiframework/yiiframework 2.0.4

yiiframework/yiiframework 2.0.5

yiiframework/yiiframework 2.0.6

yiiframework/yiiframework 2.0.7

yiiframework/yiiframework 2.0.8

yiiframework/yiiframework 2.0.9

... and 8 more

Published Jan 22, 2018

Tracked Since Feb 18, 2026