CVE-2015-5467

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)

Published: Sep 21, 2023 / Updated: 14mo ago

GitHub Security Advisory: GHSA-7cfq-72w2-24q4 Release Date: 2023-09-21 Update Date: 2023-09-25 Severity: Critical CVE-2015-5467 Base Score: 9.8 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: yiisoft/yii2 Affected Versions: >= 2.0.0, Patched Versions: 2.0.5 Description web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

We are releasing Yii 2.0.5 to fix a security issue found in the yii\web\ViewAction class. We urge all users of the class to upgrade their Yii installation to this latest release . Upgrading from 2.0.4 to this release is very safe as the release does only contain the bugfix for the vulnerability and will not break your existing code. The vulnerability is in the ViewAction action. It is possible to execute any PHP file (a file ending with .php ) on the disk by passing a relative path via view parameter. Since the issue was posted on the public issue tracker and is already known, we've fixed it and decided to make this release immediately. We have reserved a CVE number ( CVE-2015-5467 ) for this issue, which you can use to refer to it.

CVE-2023-25528 - NVIDIA DGX H100 baseboard management controller (BMC) is vulnerable to a stack overflow through a specially crafted network packet, allowing unauthorized remote attackers to achieve arbitrary code execution, denial of service, information disclosure, and data tampering. CVE-2023-25530 - NVIDIA DGX H100 BMC KVM service vulnerability allows an attacker to exploit improper input validation, potentially leading to code execution, denial of service, privileges escalation, and information disclosure.

References to Advisories, Solutions, and Tools By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov .

Low Severity Description web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter. Read more at https://www.tenable.com/cve/CVE-2015-5467

GitHub Security Advisory: GHSA-7cfq-72w2-24q4 Release Date: 2023-09-21 Update Date: 2023-09-25 Severity: Critical CVE-2015-5467 Base Score: 9.8 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: yiisoft/yii2 Affected Versions: >= 2.0.0, Patched Versions: 2.0.5 Description web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

Cvss vector : N/A Overall CVSS Score NA Base Score NA Environmental Score NA impact SubScore NA Temporal Score NA Exploitabality Sub Score NA Calculate full CVSS 3.0 Vectors scores Cvss vector : Cvss Base Score N/A Attack Range N/A Cvss Impact Score N/A Attack Complexity N/A Cvss Expoit Score N/A Authentication N/A Calculate full CVSS 2.0 Vectors scores