CVE-2020-36655
HIGHYii2 Gii <2.2.2 - Code Execution via Generator messageCategory Field
Title source: manualDescription
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory
https://github.com/yiisoft/yii2-gii/issues/433
Exploit, Mitigation, Third Party Advisory
https://lab.wallarm.com/yii2-gii-remote-code-execution/
Scores
CVSS v3
8.8
EPSS
0.0146
EPSS Percentile
70.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
yiiframework/gii
< 2.2.2
yiisoft/yii2-gii
0 - 2.2.2Packagist
Published
Jan 21, 2023
Tracked Since
Feb 18, 2026