CVE-2024-32877 – This is a Cross-site Scripting (XSS) vulnerabil... (How to Fix)

📋 TL;DR

This is a Cross-site Scripting (XSS) vulnerability in Yii 2 PHP framework that allows attackers to execute arbitrary JavaScript in victim browsers. It affects Yii 2 applications using the default error handler when displaying stack traces with arguments longer than 32 characters. All Yii 2 applications using vulnerable versions are affected.

💻 Affected Systems

Products:

Yii 2 PHP Framework

Versions: All versions before 2.0.50

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires the default error handler to be active and stack traces to be displayed with arguments exceeding 32 characters.

📦 What is this software?

Yii by Yiiframework

View all CVEs affecting Yii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover through session hijacking, theft of sensitive data including httpOnly cookies, and full control over victim's interactions with the application.

🟠

Likely Case

Session hijacking leading to unauthorized access, data theft, and potential privilege escalation depending on victim's role.

🟢

If Mitigated

Limited impact if proper CSP headers are in place and httpOnly cookies are used, though XSS could still enable UI manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (hovering over truncated argument) but can be automated via social engineering. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.50

Vendor Advisory: https://github.com/yiisoft/yii2/security/advisories/GHSA-qg5r-95m4-mjgj

Restart Required: No

Instructions:

1. Update Yii2 via Composer: composer require yiisoft/yii2:^2.0.50
2. Run composer update
3. Clear any cached files
4. Test application functionality

🧯 If You Can't Patch

Disable detailed error reporting in production environments
Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check composer.json or vendor/yiisoft/yii2/BaseYii.php version. If version is below 2.0.50 and error handling displays stack traces, system is vulnerable.

Check Version:

composer show yiisoft/yii2 | grep versions

Verify Fix Applied:

Verify installed version is 2.0.50 or higher via composer show yiisoft/yii2 or checking BaseYii.php version constant.

📡 Detection & Monitoring

Log Indicators:

Unusual error logs with long argument values containing quotes
Multiple error requests from single IPs with crafted parameters

Network Indicators:

HTTP requests containing crafted parameters with quotes and JavaScript patterns in error-triggering endpoints

SIEM Query:

source="web_logs" AND (uri="*error*" OR status="500") AND (param="*\"*" OR param="*onmouse*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-32877

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-79

Published: May 30, 2024

Last Updated: September 22, 2025

🔗 References

https://github.com/yiisoft/yii2/commit/f7baab16e79f2369d4838ab5653c3c07ecf26615 Patch
https://github.com/yiisoft/yii2/security/advisories/GHSA-qg5r-95m4-mjgj Mitigation,Vendor Advisory
https://github.com/yiisoft/yii2/commit/f7baab16e79f2369d4838ab5653c3c07ecf26615 Patch
https://github.com/yiisoft/yii2/security/advisories/GHSA-qg5r-95m4-mjgj Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32877, you might also want to check these: