GHSA-j9q2-f9q7-jhgq

Source

https://github.com/advisories/GHSA-j9q2-f9q7-jhgq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-j9q2-f9q7-jhgq/GHSA-j9q2-f9q7-jhgq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j9q2-f9q7-jhgq

Published

2023-01-20T23:22:09Z

Modified

2024-11-29T05:31:03.662873Z

Summary

CakePHP SecurityComponent cross form submission issue

Details

Prior to versions 2.4.8 and 1.3.18, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent’s tampering protection. If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-20T23:22:09Z"
}

References

Affected packages

Packagist / cakephp/cakephp

Package

Name: cakephp/cakephp
Purl: pkg:composer/cakephp/cakephp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.4.8

Affected versions

2.*

2.4.5

2.4.6

2.4.7

Packagist / cakephp/cakephp

Package

Name: cakephp/cakephp
Purl: pkg:composer/cakephp/cakephp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

1.3.18