CVEs-PoC/2020/CVE-2020-15148.md

### [CVE-2020-15148](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15148)
![](https://img.shields.io/static/v1?label=Product&message=yii2&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=%7B%22CWE-502%22%3A%22Deserialization%20of%20Untrusted%20Data%22%7D&color=brighgreen)

### Description

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/0xT11/CVE-POC
- https://github.com/0xkami/cve-2020-15148
- https://github.com/20142995/sectool
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Awrrays/FrameVul
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/Maskhe/CVE-2020-15148-bypasses
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/SexyBeast233/SecBooks
- https://github.com/StarCrossPortal/scalpel
- https://github.com/YIXINSHUWU/Penetration_Testing_POC
- https://github.com/alphaSeclab/sec-daily-2020
- https://github.com/anonymous364872/Rapier_Tool
- https://github.com/apif-review/APIF_tool_2024
- https://github.com/developer3000S/PoC-in-GitHub
- https://github.com/hectorgie/PoC-in-GitHub
- https://github.com/huike007/penetration_poc
- https://github.com/lions2012/Penetration_Testing_POC
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/soosmile/POC
- https://github.com/trganda/starrlist
- https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC-
- https://github.com/xuetusummer/Penetration_Testing_POC
- https://github.com/youcans896768/APIV_Tool