-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yiisoft/yii2 | composer | < 2.0.4 | 2.0.4 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from how JSON data was encoded for HTML contexts. The fix in 2.0.4 introduced Json::htmlEncode() specifically to address unsafe HTML embedding of JSON data. The original Json::encode() lacked proper HTML-safe encoding required for IE6/7's non-standard parsing behavior, making it the vulnerable function when used in HTML output contexts. The advisory explicitly states JSON data encoding in HTML was the attack vector, and the changelog shows Json::htmlEncode() was added to replace unsafe usage of Json::encode() in these scenarios.
Ongoing coverage of React2Shell