CVE-2020-35239

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-35239

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-35239.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-35239

Aliases

GHSA-9pgx-pf36-w46r

Related

UBUNTU-CVE-2020-35239

Published

2021-01-26T18:15:53Z

Modified

2024-09-03T03:28:15.647223Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.

References

https://bakery.cakephp.org/2020/12/07/cakephp_4010_released.html

Affected packages

Git / github.com/cakephp/cakephp

Affected ranges

Type: GIT
Repo: https://github.com/cakephp/cakephp
Events: Introduced

767b164747df789db8c0fbcf3bcf9eaf3be55b38

Last affected

2c0273a37023044b96a4d6471092f48f51225f8d

Affected versions

3.*

3.8.8

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.1.0

4.1.0-RC1

4.1.0-RC2

4.1.0-beta1

4.1.1

4.1.2

4.1.3