CVE-2024-4990
Published: 20 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2024-4990 affects yiisoft/yii2 version 2.0.48, a PHP framework, specifically in its base Component class. The vulnerability arises because the `__set()` magic method fails to validate that the value passed to it is a valid Behavior class name or configuration. This flaw enables attackers to instantiate arbitrary classes, supply parameters to their constructors, and invoke setter methods on those classes.
Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity, as indicated by its CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). Exploitation depends on the victim's installed dependencies and can lead to arbitrary code execution, retrieval of sensitive information, or unauthorized access. The issue is classified under CWE-470.
Details on mitigation, including any patches or workarounds, are documented in the advisory at https://huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f. The vulnerability was published on 2025-03-20.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated RCE via unsafe class instantiation in public-facing PHP web framework directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059 (Command and Scripting Interpreter) for arbitrary code execution.