Miggo Logo
Miggo Vulnerability Database
CVE-2020-36655

CVE-2020-36655: Command injection in yiisoft/yii2-gii

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36655
GHSA ID
GHSA-3mpg-q26j-83j5
EPSS Score
0.79194%
CWE
CWE-94
Published
1/21/2023
Updated
1/31/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
yiisoft/yii2-giicomposer< 2.2.22.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in the validateMessageCategory method. The commit diff shows the fix added a regex pattern (\w+) to restrict messageCategory values, proving the original implementation lacked proper sanitization. Attackers could exploit this by supplying a crafted messageCategory containing PHP code termination characters (like ') followed by malicious code, which would then be embedded in generated model files. The validateMessageCategory() function was the primary validation gatekeeper for this input, making it the root vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Yii Yii* *ii ***or* *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* t** **n*r*tor.p*p m*ss*****t**ory *i*l*. T** *tt**k*r **n *m*** *r*itr*ry P*P *o** into t** mo**l *il*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in t** `v*li**t*M*ss*****t**ory` m*t*o*. T** *ommit *i** s*ows t** *ix ***** * r***x p*tt*rn (\w+) to r*stri*t m*ss*****t**ory v*lu*s, provin* t** ori*in*l impl*m*nt*tion l**k** prop*r s*nitiz*ti