Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Advisories: GSA_kwCzR0hTQS1qOXEyLWY5cTctamhncc4AAxG9

CakePHP SecurityComponent cross form submission issue

Prior to versions 2.4.8 and 1.3.18, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent’s tampering protection. If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues.

Permalink: https://github.com/advisories/GHSA-j9q2-f9q7-jhgq

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 days ago
Updated: 8 days ago

Identifiers: GHSA-j9q2-f9q7-jhgq
References:

https://github.com/cakephp/cakephp/commit/f23d811ff59c50ef278e98bb75f4ec1e7e54a5b3
https://bakery.cakephp.org/2014/04/29/CakePHP-1-3-18-and-2-4-8-released.html
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2014-04-29.yaml
https://github.com/advisories/GHSA-j9q2-f9q7-jhgq

Affected Packages

packagist:cakephp/cakephp

Versions: >= 1.3.0, < 1.3.18, >= 2.0.0, < 2.4.8
Fixed in: 1.3.18, 2.4.8