Yii 2.0.5 is released to fix a security issue found in the yii\web\ViewAction class. All users of the class are encouraged to upgrade their Yii installation to this latest release. Upgrading from 2.0.4 to this release is very safe as the release does only contain the bugfix for the vulnerability and will not break your existing code.
The vulnerability is in the ViewAction action. It is possible to execute any PHP file (a file ending with .php) on the disk by passing a relative path via view parameter. Since the issue was posted on the public issue tracker and is already known, Yii 2.0.5 was released immediately to address this.
Please refer to the CVE number (CVE-2015-5467) for this issue.
The vulnerability is in the ViewAction action. It is possible to execute any PHP file (a file ending with .php) on the disk by passing a relative path via view parameter. Since the issue was posted on the public issue tracker and is already known, Yii 2.0.5 was released immediately to address this.
Please refer to the CVE number (CVE-2015-5467) for this issue.
