Overview

Recently, NSFOCUS detected that Yii Framework 2 disclosed a deserialization remote command execution vulnerability (CVE-2020-15148) in its update log published on September 14, 2020.

By adding the _wakeup() function to Class yii\db\BatchQueryResult, Yii Framework 2 disables yii\db\BatchQueryResult deserialization and prevents remote command execution caused by application calling ‘unserialize()’ on arbitrary user input.

Yii2 is a high-performance, open-source, component-based PHP framework for rapidly developing modern Web applications.

At present, Yii Framework 2 has released a new version to fix the vulnerability. NSFOCUS detection and protection products are capable of scanning and detecting the vulnerability. Affected users are advised to take preventive measures as soon as possible.