HTTP Request Redirection

Affecting yiisoft/yii2 package, versions >=2.0, <2.0.14

Do your applications use this vulnerable package? Test your applications

Overview

yiisoft/yii2 is a framework designed to be a solid foundation for PHP application.

Affected versions of this package are vulnerable to HTTP Request Redirection. Remote attackers could obtain potentially sensitive information from exception messages printed by the error handler in non-debug mode, related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.

Remediation

Upgrade yiisoft/yii2 to version 2.0.14 or higher.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2016-5385
CWE
CWE-284
Snyk ID
SNYK-PHP-YIISOFTYII2-72039
Disclosed
22 Jan, 2018
Published
19 Feb, 2018