-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| yiisoft/yii2-dev | composer | >= 2.0.0, < 2.0.15 | 2.0.15 |
| yiisoft/yii2-elasticsearch | composer | < 2.0.5 | 2.0.5 |
Miggo AIRoot Cause AnalysisThe vulnerability documentation explicitly references ActiveRecord::findOne/findAll in yii2-elasticsearch as the attack vector. The framework's own security bulletin confirms these methods were hardened in v2.0.5 by restricting them to filter only on AR properties. The functions are vulnerable because they previously allowed passing raw user input directly into query conditions without proper validation, enabling condition manipulation through specially crafted array parameters.
PHPPHPOngoing coverage of React2Shell