CVE-2020-36655 – yiisoft/yii2-gii

Package

Manager: composer
Name: yiisoft/yii2-gii
Vulnerable Version: >=0 <2.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01348 pctl0.79343

Details

Command injection in yiisoft/yii2-gii Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

Metadata

Created: 2023-01-21T03:30:28Z
Modified: 2025-04-02T22:31:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-3mpg-q26j-83j5/GHSA-3mpg-q26j-83j5.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3mpg-q26j-83j5
Finding: F422
Auto approve: 1