CVE-2020-36655

Name of the Vulnerable Software and Affected Versions Yii2 Gii versions prior to 2.2.2

Description The issue allows remote attackers to execute arbitrary code via the messageCategory field in Generator.php. This can be done by embedding arbitrary PHP code into the model file. The vulnerability is related to the restoration of an invalid data structure in memory, which can be exploited by a remote attacker to execute arbitrary code.

Recommendations For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Generator.php file and the messageCategory field to minimize the risk of exploitation.