CVE-2024-4990

Name of the Vulnerable Software and Affected Versions yiisoft/yii2 version 2.0.48

Description The base Component class in yiisoft/yii2 contains a vulnerability where the set() magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access. The vulnerability can be exploited by controlling the content of the $value variable, which can then be used to instantiate arbitrary classes and invoke setter methods.

Recommendations As a temporary workaround, consider disabling the set() magic method in the Component class until a patch is available. Restrict access to the vulnerable Component class to minimize the risk of exploitation. Avoid using the $value variable in the affected set() method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.