-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
The exploit demonstrates XSS via the 'role' parameter, indicating insufficient input sanitization. In Yii2, XSS typically occurs when user-controlled data (like $_GET parameters) is rendered in views without escaping. While the exact functions/files aren't specified in advisories, the role parameter's involvement suggests vulnerabilities in controller actions handling input and view templates rendering it. Confidence is medium due to the lack of explicit code references but strong contextual alignment with Yii2 XSS patterns.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ptheofan/yii2-statemachine | composer | >= 2.0.0-RC1, <= 2.0.0 |
Ongoing coverage of React2Shell