Miggo Logo
Miggo Vulnerability Database
CVE-2018-6009

CVE-2018-6009:
Yii Framework Cross-Site Request Forgery (CSRF)

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-6009
GHSA ID
GHSA-cwhm-272p-3wj9
EPSS Score
0.39803%
CWE
CWE-352
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
yiisoft/yii2composer>= 2.0, < 2.0.142.0.14
yiisoft/yii2-devcomposer>= 2.0, < 2.0.142.0.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly names switchIdentity in web/User.php as the problematic function.
  2. The GitHub advisory and Yii release notes confirm the CSRF token regeneration was missing in this identity-switching function.
  3. The security fix commit adds CSRF regeneration directly to switchIdentity, verifying this was the missing security measure.
  4. CWE-352 (CSRF) classification aligns with the missing token regeneration mechanism during critical identity changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Yii *r*m*work *.x ***or* *.*.**, t** swit**I**ntity *un*tion in w**/Us*r.p*p *i* not r***n*r*t* t** *SR* tok*n upon * ***n** o* i**ntity.

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly n*m*s swit**I**ntity in w**/Us*r.p*p *s t** pro*l*m*ti* *un*tion. *. T** *it*u* **visory *n* Yii r*l**s* not*s *on*irm t** *SR* tok*n r***n*r*tion w*s missin* in t*is i**ntity-swit**in* *un*tion. *. T** s**