Description

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.

INFO

Published Date :

2025-03-20T10:11:14.988Z

Last Modified :

2025-03-20T13:31:05.950Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4990 vulnerability.

Vendors Products
Yiiframework
  • Yii
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4990.

URL Resource
https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact