Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14ODdtLTM2ZzctNm1wd84AAwO9
Yii2 Gii Cross-site Scripting vulnerability
Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser.
Permalink: https://github.com/advisories/GHSA-x87m-36g7-6mpwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14ODdtLTM2ZzctNm1wd84AAwO9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-x87m-36g7-6mpw, CVE-2022-34297
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-34297
- https://gist.github.com/be4r/b5c48d97ef6726d3ee37f995ee5aac81
- https://github.com/advisories/GHSA-x87m-36g7-6mpw
Affected Packages
packagist:yiisoft/yii2-gii
Dependent packages: 669Dependent repositories: 18,891
Downloads: 14,043,566 total
Affected Version Ranges: <= 2.2.4
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4