How severe is CVE-2024-4990?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2024-4990?

This is classified as CWE-470, which is a common weakness in software security.

CVE-2024-4990 - HIGH Severity | CVSS 8.1

Vulnerability Description

In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.

Related Vulnerabilities

CVE-2022-30287

HIGH

CVSS:8.0(High)

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP object...

CWE-4702022

CVE-2024-53850

HIGH

CVSS:8.2(High)

The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthen...

CWE-4702024

CVE-2024-7059

HIGH

CVSS:8.0(High)

A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec Security Center product line.

CWE-4702024

CVE-2022-26469

HIGH

CVSS:7.8(High)

In MtkEmail, there is a possible escalation of privilege due to fragment injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is...

CWE-4702022

CVE-2024-8048

HIGH

CVSS:7.8(High)

In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.

CWE-4702024

CVE-2025-31119

HIGH

CVSS:7.6(High)

generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as ...

CWE-4702025