CVE-2024-58136

Critical KEV CVSS: 9.0

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Vendor

Yiiframework

Product

Yii

CWE

CWE-424

Yayın Tarihi

2025-04-10 03:15:17

Güncelleme

2025-11-05 19:28:54

Source Identifier

cve@mitre.org

KEV Date Added

2025-05-02

Kategoriler

CWE-424 Yii CRITICAL Yiiframework 2025

Referanslar

https://github.com/yiisoft/yii2/commit/40fe496eda529fd1d933b56a1022ec32d3cd0b12 https://github.com/yiisoft/yii2/compare/2.0.51...2.0.52 https://github.com/yiisoft/yii2/pull/20232 https://github.com/yiisoft/yii2/pull/20232#issuecomment-2252459709 https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52 https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-58136

Benzer Kayıtlar

Medium

CVE-2025-48493

The Yii 2 Redis extension provides the redis key-value store support for the Yii framework 2.0. On failing connection, t…

Medium

CVE-2025-32027

Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenari…

Medium

CVE-2025-2690

A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39. This affects the function Gen…

Medium

CVE-2025-2689

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue i…

Critical

CVE-2024-4990

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does…