CVE-2015-5467: 
PHP vulnerability analysis and mitigation

CVE-2015-5467 affects Yii (also known as Yii2) versions 2.x before 2.0.5. The vulnerability was discovered in the web\ViewAction class and was disclosed on July 10, 2015. The affected component allows attackers to execute any local .php file via a relative path in the view parameter (Yii News, NVD). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

The vulnerability exists in the web\ViewAction class of Yii Framework. It allows attackers to execute arbitrary PHP files through path traversal by specifying a relative path in the view parameter. The issue has been classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD). The vulnerability affects all versions from 2.0.0 up to (but not including) 2.0.5.

The vulnerability allows attackers to execute arbitrary PHP files on the system, potentially leading to remote code execution. Given the CVSS score of 9.8, this vulnerability is considered critical with high impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability was fixed in Yii version 2.0.5. Users are strongly urged to upgrade their Yii installation to this version or later. The upgrade from 2.0.4 to 2.0.5 is considered safe as it only contains the security fix and will not break existing code (Yii News).

The Yii Framework team responded quickly to the vulnerability by releasing version 2.0.5 immediately after the issue was posted on the public issue tracker. They also reserved a CVE number (CVE-2015-5467) for tracking this security issue (Yii News).