CVE-2018-20745

MEDIUM5.9EPSS 0.12%

Yii Incorrectly Implements CORS

Published: 5/14/2022Modified: 2/16/2024

Description

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

Affected packages (1)

Packagist/yiisoft/yii2from 0, < 2.0.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-20745
WEBhttps://github.com/yiisoft/yii2/issues/16193
WEBhttps://github.com/yiisoft/yii2/pull/16198
WEBhttps://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf