Yii Framework 2.0.9 - Reflected XSS

Advisory ID: RO-17-003
CVE ID: CVE-2018-6010
Severity: Medium
Vendor: Yii Software
Product: Yii Framework
Version: 2.0.9

Overview #

A Reflected Cross-site Scripting (XSS) vulnerability exists in Yii Framework version 2.0.9 and earlier versions before 2.0.14. The vulnerability exists in the error handler component.

Vulnerability Details #

Affected Versions: 2.0.9 and earlier, before 2.0.14

Location: base/ErrorHandler.php

Root Cause: The vulnerability exists due to improper handling of error messages, allowing attackers to inject malicious scripts.

Exploitation Requirements #

  • No authentication required
  • Victim must trigger an error with a crafted payload

Impact #

Remote attackers can exploit this vulnerability to:

  • Execute JavaScript in the victim's browser
  • Steal application session cookies
  • Perform actions on behalf of users

Proof of Concept #

Details available upon request.

Solution #

Upgrade to Yii Framework version 2.0.14 or later.

References #

Timeline:

  • [2017-01-01] - Discovered

Credits: Omar Kurt