CVSS 3.1 Score 6.1 of 10 (medium)


Published Dec 22, 2023
Updated: Jan 8, 2024
CWE ID 203


CVE-2023-50708 is a vulnerability in the yii2-authclient extension prior to version 2.2.15. This extension adds OpenID, OAuth, OAuth2, and OpenId Connect consumers for the Yii framework 2.0. The vulnerability allows for a timing attack on the Oauth1/2 state and OpenID Connect nonce parameters, as they are compared via regular string comparison instead of using a secure method. The issue has been patched in version 2.2.15, and no known workarounds are available. This vulnerability has a risk score of 65 and a base severity of MEDIUM according to the CVSS:3.1 scoring system. It requires user interaction and has a high integrity impact but does not affect confidentiality or availability. The affected products include various versions of Yii framework extensions.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-50708 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options