CVE-2023-47130: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

November 14, 2023

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 is vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

github.com/advisories/GHSA-mw2w-2hj2-fg8q
github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06
github.com/yiisoft/yii/security/advisories/GHSA-mw2w-2hj2-fg8q
nvd.nist.gov/vuln/detail/CVE-2023-47130
owasp.org/www-community/vulnerabilities/PHP_Object_Injection

Code Behaviors & Features

Detect and mitigate CVE-2023-47130 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →