The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2021-4107 | yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') | MEDIUM | Dec 15, 2021 |
| CVE-2020-23691 | YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php. | HIGH | May 14, 2021 |
| CVE-2018-11557 | YIBAN Easy class education platform 2.0 has XSS via the articlelist.php k parameter. | MEDIUM | May 30, 2018 |
| CVE-2018-10704 | yidashi yii2cmf 2.0 has XSS via the /search q parameter. | MEDIUM | Mar 12, 2020 |
| CVE-2020-15148 | Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | HIGH | Sep 15, 2020 |
| CVE-2022-31454 | Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 page does not describe why /books has a relationship to Yii 2. | -- | Jul 28, 2023 |
| CVE-2018-8073 | Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | HIGH | Mar 21, 2018 |
| CVE-2018-8074 | Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | MEDIUM | Mar 21, 2018 |
| CVE-2018-20745 | Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. | MEDIUM | Jan 28, 2019 |
| CVE-2023-47130 | Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability. | -- | Nov 14, 2023 |
| CVE-2020-36655 | Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. | -- | Jan 23, 2023 |
| CVE-2022-34297 | Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | -- | Dec 10, 2022 |
| CVE-2021-3692 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | MEDIUM | Aug 10, 2021 |
| CVE-2021-3689 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | MEDIUM | Aug 10, 2021 |
| CVE-2023-50708 | yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available. | -- | Dec 22, 2023 |
| CVE-2023-50714 | yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | -- | Dec 22, 2023 |
| CVE-2019-16130 | YII2-CMS v1.0 has XSS in protected\\core\\modules\\home\\models\\Contact.php via a name field to /contact.html. | MEDIUM | Sep 9, 2019 |
| CVE-2022-36605 | Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter. | -- | Aug 19, 2022 |
| CVE-2023-51837 | Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation. | -- | Jan 30, 2024 |
| CVE-2023-51838 | Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm. | -- | Feb 2, 2024 |
| CVE-2018-20133 | ymlref allows code injection. | HIGH | Dec 17, 2018 |
| CVE-2017-12760 | Ynet Interactive - http://demo.ynetinteractive.com/mobiketa/ Mobiketa 4.0 is affected by: SQL Injection. The impact is: Code execution (remote). | MEDIUM | May 10, 2019 |
| CVE-2017-12759 | Ynet Interactive - http://demo.ynetinteractive.com/soa/ SOA School Management 3.0 is affected by: SQL Injection. The impact is: Code execution (remote). | HIGH | May 13, 2019 |
| CVE-2024-25626 | Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server\'s shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2. | -- | Feb 20, 2024 |
| CVE-2016-10375 | Yodl before 3.07.01 has a Buffer Over-read in the queue_push function in queue/queuepush.c. | HIGH | Jun 6, 2017 |
| CVE-2020-5627 | Yodobashi App for Android versions 1.8.7 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack. | MEDIUM | Sep 9, 2020 |
| CVE-2023-29626 | Yoga Class Registration System 1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at /admin/login.php. | -- | Apr 14, 2023 |
| CVE-2023-1722 | Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. | -- | Jun 24, 2023 |
| CVE-2023-1721 | Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. | -- | Jun 24, 2023 |
| CVE-2017-17630 | Yoga Class Script 1.0 has SQL Injection via the /list city parameter. | HIGH | Dec 13, 2017 |
| CVE-2018-17896 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The affected controllers utilize hard-coded credentials which may allow an attacker gain unauthorized access to the maintenance functions and obtain or modify information. This attack can be executed only during maintenance work. | HIGH | Oct 12, 2018 |
| CVE-2018-17902 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions. | MEDIUM | Oct 12, 2018 |
| CVE-2018-17900 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers. | MEDIUM | Oct 12, 2018 |
| CVE-2018-17898 | Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests. This could allow an attacker to cause the controller to become unstable. | HIGH | Oct 12, 2018 |
| CVE-2018-10592 | Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution. | HIGH | Aug 1, 2018 |
| CVE-2023-51927 | YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method. | -- | Jan 20, 2024 |
| CVE-2023-51926 | YonBIP v3_23.05 was discovered to contain an arbitrary file read vulnerability via the nc.bs.framework.comn.serv.CommonServletDispatcher component. | -- | Jan 20, 2024 |
| CVE-2022-26263 | Yonyou u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via the component /u8sl/WebHelp. | MEDIUM | Mar 25, 2022 |
| CVE-2017-3211 | Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks the first name, last initial, city, and recent purchase data of customers, all without user authorization. | MEDIUM | Jan 15, 2020 |
| CVE-2021-45475 | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability. | -- | Oct 28, 2022 |
| CVE-2021-45476 | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability. | -- | Oct 28, 2022 |
| CVE-2018-11522 | Yosoro 1.0.4 has stored XSS. | MEDIUM | Jun 2, 2018 |
| CVE-2022-32299 | YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the id parameter at /App/Lib/Action/Admin/SiteAction.class.php. | MEDIUM | Jun 15, 2022 |
| CVE-2022-32301 | YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the IdList parameter at /App/Lib/Action/Home/ApiAction.class.php. | HIGH | Jun 15, 2022 |
| CVE-2022-32300 | YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the MailSendID parameter at /App/Lib/Action/Admin/MailAction.class.php. | MEDIUM | Jun 15, 2022 |
| CVE-2018-18242 | youke365 v1.1.5 has SQL injection via admin/login.html, as demonstrated by username=admin&pass=123456&code=9823&act=login&submit=%E7%99%BB+%E9%99%86. | HIGH | Oct 11, 2018 |
| CVE-2020-13911 | Your Online Shop 1.8.0 allows authenticated users to trigger XSS via a Change Name or Change Surname operation. | LOW | Jun 12, 2020 |
| CVE-2021-3785 | yourls is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') | LOW | Sep 15, 2021 |
| CVE-2021-3783 | yourls is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') | MEDIUM | Sep 15, 2021 |
| CVE-2021-3734 | yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | MEDIUM | Aug 26, 2021 |
