CVE-2018-6010 Information

Description

In Yii Framework 2.x before 2.0.14 remote attackers could obtain potentially sensitive information from exception messages or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php log/Dispatcher.php and views/errorHandler/exception.php.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/yiisoft/yii2/commit/6b0be47e0fa9c532e03b07b4369050582fcf5c7a https://github.com/yiisoft/yii2/issues/14711 https://github.com/yiisoft/yii2/pull/15534

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5