CVE-2018-7269: SQL injection

March 21, 2018 (updated April 20, 2018)

The findByCondition function in framework/db/ActiveRecord.php allows remote attackers to conduct SQL injection attacks via a findOne() or `findAll()à call, unless a developer recognizes an undocumented need to sanitize array input.

References

nvd.nist.gov/vuln/detail/CVE-2018-7269
www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes

Code Behaviors & Features

Detect and mitigate CVE-2018-7269 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →