CVE-2018-6009

high-risk

Published 2018-01-22

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.

Do I need to act?

-

0.17% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

8

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (20)

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Yiiframework

Affected Vendors

Yiiframework

References (2)

Patch https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7

Patch https://github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7

51

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 20/34 · Moderate