CVE-2017-11516 — Yii Cross-site Scripting Framework vulnerability

Description

An XSS vulnerability exists in framework/views/errorHandler/exception.php in Yii Framework 2.0.12 affecting the exception screen when debug mode is enabled, because $exception->errorInfo is mishandled.

How to fix CVE-2017-11516

To remediate CVE-2017-11516, upgrade the affected package to a fixed version below.

Packagist/yiisoft/yii2—upgrade to 2.0.13 or later
—upgrade to 2.0.13 or later

Is CVE-2017-11516 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 2.0.12, < 2.0.13
>= 2.0.12, < 2.0.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-11516
PATCHgithub.com/yiisoft/yii2-framework
WEBgithub.com/yiisoft/yii2/pull/14492
WEBgithub.com/yiisoft/yii2/pull/14492/files/feb4067de8a58f391a66e395192b0d83a8109b95