CVE-2017-7271:
Yii Framework Reflected XSS
6.1
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
5/17/2022
Updated
10/31/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
yiisoft/yii2 | composer | < 2.0.11 | 2.0.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was explicitly patched by adding HTML encoding via $this->htmlEncode() in the renderRequest method. The commit diff shows the critical line change from returning raw request data wrapped in <pre> tags to properly encoded data. This method handles debug error page rendering where user-controlled input (request parameters) is displayed, making it the direct attack vector. No other functions were modified in the security-related commit, and the CVE description specifically references mishandling of request data in debug exception screens.