yiisoft/yii2-dev Security Advisories for 2.0.0-rc (9)
-
[MEDIUM] yiisoft Yii2 Deserialization of Untrusted Data
PKSA-vjfw-277f-52gq CVE-2025-2689 GHSA-88m2-j94x-v4fx
Affected version: <=2.0.45
Reported by:
GitHub -
[HIGH] Yii Framework Code Injection
PKSA-sxhn-698f-dpfd CVE-2018-8074 GHSA-m2p5-fwp2-qcw2
Affected version: >=2.0.0,<2.0.15
Reported by:
GitHub -
[HIGH] Use of Insufficiently Random Values in yiisoft/yii2-dev
PKSA-gr88-dv3s-951n CVE-2021-3689 GHSA-hq3v-rg6f-6hx4
Affected version: <2.0.43
Reported by:
GitHub -
[MEDIUM] Use of Cryptographically Weak Pseudo-Random Number Generator in yiisoft/yii2-dev
PKSA-26mg-s28k-sb3m CVE-2021-3692 GHSA-wwvv-x5mq-h3jj
Affected version: <2.0.43
Reported by:
GitHub -
[CRITICAL] Potential SQL injection in methods `yii\db\ActiveRecord::findOne()` and `::findAll()`
PKSA-xtm2-wjhy-b81b CVE-2018-7269 GHSA-hhg2-g6h6-c266
Affected version: <2.0.12.1|>=2.0.13,<2.0.13.2|>=2.0.14,<2.0.15
Reported by:
GitHub, FriendsOfPHP/security-advisories -
Remote attackers could obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.
PKSA-2342-4j8y-2xvc CVE-2018-6010
Affected version: <2.0.14
Reported by:
FriendsOfPHP/security-advisories -
[HIGH] The switchIdentity() function in yii\web\User did not regenerate the CSRF token upon a change of identity
PKSA-w352-mtnh-r175 CVE-2018-6009 GHSA-cwhm-272p-3wj9
Affected version: <2.0.14
Reported by:
GitHub, FriendsOfPHP/security-advisories -
class yii\web\ViewAction allowed to include arbitrary files that end with .php
PKSA-vxs3-y9yw-z24k CVE-2015-5467
Affected version: <2.0.5
Reported by:
FriendsOfPHP/security-advisories -
JSON Data encoded for use in HTML was not safe to use in IE6/IE7, possible XSS attacks
PKSA-dp5z-g943-nbyy CVE-2015-3397
Affected version: <2.0.4
Reported by:
FriendsOfPHP/security-advisories