CVE-2022-34297

Name of the Vulnerable Software and Affected Versions Yii2 Gii versions through 2.2.4

Description The issue allows stored XSS by injecting a payload into any field. Some fields, such as Message Category in Model Generator, CRUD Generator or Form Generator, and Author Name in Extension Generator, are being cached without sanitization of their contents when the Preview button is pressed. This leads to the possibility of injecting malicious JavaScript in specified pages by placing it in said fields and caching it by pressing the Preview button. On each consequent visit of specified pages, malicious JavaScript will be loaded from the server and executed in the client's browser.

Recommendations For versions through 2.2.4, as a temporary workaround, consider disabling the Preview button functionality in the affected generators until a patch is available. Restrict access to the caching mechanism for the specified fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.