CVE-2018-8074

HIGH8.1EPSS 0.85%

Yii Framework Code Injection

發布日:2022/5/24修改日:2024/2/16

描述

Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.

受影響套件(2)

Packagist/yiisoft/yii2-dev>= 2.0.0, < 2.0.15
Packagist/yiisoft/yii2-elasticsearchfrom 0, < 2.0.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-8074
PATCHhttps://github.com/yiisoft/yii2
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-elasticsearch/CVE-2018-8074.yaml
WEBhttps://www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes
WEBhttp://www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes