CVE-2018-20745

MEDIUM5.9EPSS 0.12%

Yii Incorrectly Implements CORS

發布日:2022/5/14修改日:2024/2/16

描述

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

受影響套件(1)

Packagist/yiisoft/yii2from 0, < 2.0.16

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-20745
WEBhttps://github.com/yiisoft/yii2/issues/16193
WEBhttps://github.com/yiisoft/yii2/pull/16198
WEBhttps://www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf