Today we are releasing several versions for Yii 2.0.x and official extensions to fix a security issue.
The problem addressed in these patches exists in ActiveRecord shortcut methods findOne() and findAll(), which may
allow SQL injection if input is not prepared properly. We consider this as a security issue in Yii because the documentation for these methods did not contain an explicit warning that there are cases when passing unfiltered user input might be dangerous. Thanks to analitic1983 for making us aware of the issue.
The nature of this issue does not solely exists in the Yii Framework but depends on how an application uses Yii.
We have changed Yii to be more robust against the worst impact of the problem (SQL injection), but applications may still be vulnerable
and changes to application code are necessary in some cases. As a safety measure, findOne() and findAll() are now limited to filter on
columns that are AR properties only.
Check the news announcement for more details
and information on which application code is affected and what needs to be adjusted on upgrade.