Home > Vulnerability Database > CVE-2020-15148

Mend.io Vulnerability Database

CVE-2020-15148

Date: September 15, 2020

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls "unserialize()" on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Language: C

Severity Score

8.9

Related Resources (6)

Url: https://www.yiiframework.com/news/303/yii-2-0-38

Url: https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj

Url: https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15148

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2020-15148

Severity Score

8.9

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

CVSS v3.1

Base Score:	8.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15148

Date: September 15, 2020

Language: C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?