Security Advisories - yiisoft/yii2-dev - Packagist

yiisoft/yii2-dev Security Advisories for 2.0.0-rc (5)

Potential SQL injection in methods `yii\db\ActiveRecord::findOne()` and `::findAll()`

CVE-2018-7269

Affected version: <2.0.12.1|>=2.0.13,<2.0.13.2|>=2.0.14,<2.0.15

Reported by:
FriendsOfPHP/security-advisories
Remote attackers could obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode.

CVE-2018-6010

Affected version: <2.0.14

Reported by:
FriendsOfPHP/security-advisories
The switchIdentity() function in yii\web\User did not regenerate the CSRF token upon a change of identity

CVE-2018-6009

Affected version: <2.0.14

Reported by:
FriendsOfPHP/security-advisories
class yii\web\ViewAction allowed to include arbitrary files that end with .php

CVE-2015-5467

Affected version: <2.0.5

Reported by:
FriendsOfPHP/security-advisories
JSON Data encoded for use in HTML was not safe to use in IE6/IE7, possible XSS attacks

CVE-2015-3397

Affected version: <2.0.4

Reported by:
FriendsOfPHP/security-advisories