CVE-2023-47130: 
PHP vulnerability analysis and mitigation

Yii, an open source PHP web framework, was found to be vulnerable to Remote Code Execution (RCE) in versions before 1.1.29. The vulnerability was disclosed on November 14, 2023, and affects applications that call the unserialize() function on arbitrary user input (NVD, GitHub Advisory).

The vulnerability is tracked as CVE-2023-47130 and has received a CVSS v3.1 base score of 9.8 (Critical) from NVD and 8.1 (High) from GitHub. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The issue occurs when user-supplied input is not properly sanitized before being passed to the PHP unserialize() function, potentially allowing arbitrary PHP object injection into the application scope (NVD, OWASP).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete system compromise. The vulnerability has the highest possible impact ratings for confidentiality, integrity, and availability (NVD).

The vulnerability has been patched in Yii version 1.1.29. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).