Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Advisories: GSA_kwCzR0hTQS1xNzltLWM1NDYtMmc2M84AAxG-
CakePHP vulnerable to Denial of Service attack through XML payloads
RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages Xml::build() which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads.
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 15 days ago
Updated: 15 days ago
Identifiers: GHSA-q79m-c546-2g63
References:
- https://github.com/cakephp/cakephp/commit/c186487151356a8d7c6e2cae05f87b9df0e59fbb
- https://bakery.cakephp.org/2015/05/28/cakephp_2_6_6_and_3_0_6_released.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-05-28.yaml
- https://github.com/advisories/GHSA-q79m-c546-2g63
Affected Packages
packagist:cakephp/cakephp
Versions: >= 2.6.0, < 2.6.6, >= 2.5.0, < 2.5.90, >= 2.4.0, < 2.4.99, >= 2.3.0, < 2.3.99, >= 2.2.0, < 2.2.99, >= 2.1.0, < 2.1.99, >= 2.0.0, < 2.0.99, >= 3.0.0, < 3.0.6Fixed in: 2.6.6, 2.5.90, 2.4.99, 2.3.99, 2.2.99, 2.1.99, 2.0.99, 3.0.6