PT-2022-26152 · Yii · Yiisoft/Yii
Fi3Wey
·
Published
2022-11-21
·
Updated
2022-11-30
·
CVE-2022-41922
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
yiisoft/yii versions prior to 1.1.27
Description
The issue allows for Remote Code Execution (RCE) if the application calls
unserialize() on arbitrary user input.Recommendations
For versions prior to 1.1.27, upgrade yiisoft/yii to version 1.1.27 or higher. As a temporary workaround, consider avoiding the use of
unserialize() on arbitrary user input until a patch is applied. Restrict access to user input that could be used to exploit this issue to minimize the risk of exploitation.Exploit
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yiisoft/Yii