CVE-2022-34297 – yiisoft/yii2-gii

Package

Manager: composer
Name: yiisoft/yii2-gii
Vulnerable Version: >=0 <=2.2.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00159 pctl0.37316

Details

Yii2 Gii Cross-site Scripting vulnerability Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser.

Metadata

Created: 2022-12-10T00:30:17Z
Modified: 2025-04-23T15:22:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-x87m-36g7-6mpw/GHSA-x87m-36g7-6mpw.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-x87m-36g7-6mpw
Finding: F425
Auto approve: 1