6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20158

GHSA ID

GHSA-j82x-fh8h-326g

EPSS Score

0.2972%

CWE

CWE-79

Published

12/31/2022

Updated

12/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20158

CVE-2017-20158: Yii2 FileAPI Widget vulnerable to Cross-site Scripting

A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.1.9 can address this issue. The name of the patch is c00d1e4fc912257fca1fce66d7a163bdbb4c8222. It is recommended to upgrade the affected component. The identifier VDB-217141 was assigned to this vulnerability.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20158

GHSA ID

GHSA-j82x-fh8h-326g

EPSS Score

0.2972%

CWE

CWE-79

Published

12/31/2022

Updated

12/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vova07/yii2-fileapi-widget	composer	< 0.1.9	0.1.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the unescaped error message output in the run() method. The commit diff shows the fix adds Html::encode() to sanitize the error message. Since this method handles user-controlled file upload errors and directly returns the unescaped value in JSON responses, it creates an XSS vector when the error message is rendered in the browser. The patch confirmation and CWE-79 classification confirm this is an XSS vulnerability caused by improper output encoding in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in vov*** Yii* *il**PI Wi***t up to *.*.*. It **s ***n ***l*r** *s pro*l*m*ti*. *****t** *y t*is vuln*r**ility is t** *un*tion run o* t** *il* **tions/Uplo****tion.p*p. T** m*nipul*tion o* t** *r*um*nt *il* l***s to *ross si

Reasoning

T** vuln*r**ility st*ms *rom t** un*s**p** *rror m*ss*** output in t** `run()` m*t*o*. T** *ommit *i** s*ows t** *ix ***s `*tml::*n*o**()` to s*nitiz* t** *rror m*ss***. Sin** t*is m*t*o* **n*l*s us*r-*ontroll** *il* uplo** *rrors *n* *ir**tly r*turn

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-20158: Yii2 FileAPI Widget vulnerable to Cross-site Scripting

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI