GHSA-556q-h4vr-pgh2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-556q-h4vr-pgh2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-556q-h4vr-pgh2/GHSA-556q-h4vr-pgh2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-556q-h4vr-pgh2
- Aliases
- Published
- 2022-05-14T02:47:10Z
- Modified
- 2023-11-08T03:58:02.329941Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CakePHP might allow remote attackers to bypass CSRF protection mechanism via the _method parameter
- Details
-
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the
_methodparameter. - Database specific
{ "nvd_published_at": "2016-01-26T19:59:00Z", "github_reviewed_at": "2023-01-14T05:30:24Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-8379
- https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
- https://github.com/cakephp/cakephp
- http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
- http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
- http://karmainsecurity.com/KIS-2016-01
- http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
- http://seclists.org/fulldisclosure/2016/Jan/42
- http://www.securityfocus.com/archive/1/537317/100/0/threaded
Affected packages
Packagist / cakephp/cakephp
Package
- Name
- cakephp/cakephp
- Purl
- pkg:composer/cakephp/cakephp
Affected versions
2.*
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.5.0-beta
2.5.0-RC1
2.5.0-RC2
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.6.0-beta
2.6.0-RC1
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.7.0-RC
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.8.0-RC1
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.9.0-RC1
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.10.0-RC1
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.6
2.10.7
2.10.8
2.10.9
2.10.10
2.10.11
2.10.12
2.10.13
2.10.14
2.10.15
2.10.16
2.10.17
2.10.18
2.10.19
2.10.20
2.10.21
2.10.22
2.10.23
2.10.24
3.*
3.0.0-alpha1
3.0.0-alpha2
3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-RC1
3.0.0-RC2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.1.0-beta
3.1.0-beta2
3.1.0-RC1
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4