Miggo Logo

CVE-2017-7271:
Yii Framework Reflected XSS

6.1

CVSS Score

Basic Information

EPSS Score
-
Published
5/17/2022
Updated
10/31/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yiisoft/yii2composer< 2.0.112.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was explicitly patched by adding HTML encoding via $this->htmlEncode() in the renderRequest method. The commit diff shows the critical line change from returning raw request data wrapped in <pre> tags to properly encoded data. This method handles debug error page rendering where user-controlled input (request parameters) is displayed, making it the direct attack vector. No other functions were modified in the security-related commit, and the CVE description specifically references mishandling of request data in debug exception screens.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility in Yii *r*m*work ***or* *.*.**, w**n **v*lopm*nt mo** is us**, *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* *r**t** r*qu*st **t* t**t is mis**n*l** on t** ***u*-mo** *x**ption s

Reasoning

T** vuln*r**ility w*s *xpli*itly p*t**** *y ***in* *TML *n*o*in* vi* $t*is->*tml*n*o**() in t** r*n**rR*qu*st m*t*o*. T** *ommit *i** s*ows t** *riti**l lin* ***n** *rom r*turnin* r*w r*qu*st **t* wr*pp** in <pr*> t**s to prop*rly *n*o*** **t*. T*is