CVE-2017-7271 Information

Description

Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11 when development mode is used allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://www.securityfocus.com/bid/97167 http://www.yiiframework.com/news/123/yii-2-0-11-is-released/ https://github.com/yiisoft/yii2/commit/97171a0db7cda0a49931ee0c3b998ef50bd06756 https://github.com/yiisoft/yii2/pull/13401

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1