.. / CVE-2020-15148

Exploit for Yii 2 < 2.0.38 - Remote Code Execution (CVE-2020-15148)

Description:

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input.

Nuclei Template

View the template here CVE-2020-15148.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-15148.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2020-15148
https://github.com/20142995/sectool
https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
https://blog.csdn.net/xuandao_ahfengren/article/details/111259943
https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
https://github.com/nosafer/nosafer.github.io/blob/227a05f5eff69d32a027f15d6106c6d735124659/docs/Web%E5%AE%89%E5%85%A8/Yii2/%EF%BC%88CVE-2020-15148%EF%BC%89Yii2%E6%A1%86%E6%9E%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md