HIGH 7.4
GHSA-5vpg-rj7q-qpw2
Yii 2: Local file inclusion via view parameter name collision
상세
The core view rendering method `View::renderPhpFile()` calls `extract($_params_, EXTR_OVERWRITE)` before the `require` statement that includes the view file. A caller-controlled parameter named `_file_` in the `$params` array overwrites the internal local variable that specifies which file is included — enabling a Local File Inclusion primitive.
### Impact
- Local File Inclusion (arbitrary file read via non-PHP files) - Potential RCE if attacker can write PHP files via a separate primitive - Information disclosure
### Patches
2.0.55
### Workarounds
No.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/yiisoft/yii2/security/advisories/GHSA-5vpg-rj7q-qpw2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-39850 [ADVISORY]
- https://github.com/yiisoft/yii2/commit/109878b491dbffa541032bc99fb5e26d12cd0375 [WEB]
- https://github.com/yiisoft/yii2 [PACKAGE]
- https://github.com/yiisoft/yii2/releases/tag/2.0.55 [WEB]