Vulnerability Details : CVE-2020-36655

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

Vulnerability category: Execute code

Published 2023-01-21 01:15:12

Updated 2023-01-30 16:45:48

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-36655

Probability of exploitation activity in the next 30 days: 0.30%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 66 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-36655

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-36655

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: [email protected] (Primary)

References for CVE-2020-36655

https://lab.wallarm.com/yii2-gii-remote-code-execution/

Exploit;Mitigation;Third Party Advisory
https://github.com/yiisoft/yii2-gii/issues/433

Exploit;Issue Tracking;Third Party Advisory

Products affected by CVE-2020-36655

Yiiframework » GII » For Yii2
Versions before (<) 2.2.2
cpe:2.3:a:yiiframework:gii:*:*:*:*:*:yii2:*:*
Matching versions