GHSA-xwhj-pqcg-8rcr

Source

https://github.com/advisories/GHSA-xwhj-pqcg-8rcr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-xwhj-pqcg-8rcr/GHSA-xwhj-pqcg-8rcr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xwhj-pqcg-8rcr

Published

2023-01-20T23:35:17Z

Modified

2024-11-29T05:41:07.087696Z

Summary

CakePHP vulnerable to Cross-site Scripting in some development error pages

Details

CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting (XSS) vulnerability in the development only missing route and duplicate named route error pages.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-20T23:35:17Z"
}

References

Affected packages

Packagist / cakephp/cakephp

Package

Name: cakephp/cakephp
Purl: pkg:composer/cakephp/cakephp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.14

Affected versions

3.*

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.4.10

3.4.11

3.4.12

3.4.13

Packagist / cakephp/cakephp

Package

Name: cakephp/cakephp
Purl: pkg:composer/cakephp/cakephp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.5.0

Fixed

3.5.17

Affected versions

3.*

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.14

3.5.15

3.5.16

Packagist / cakephp/cakephp

Package

Name: cakephp/cakephp
Purl: pkg:composer/cakephp/cakephp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.6.0

Fixed

3.6.4

Affected versions

3.*

3.6.0

3.6.1

3.6.2

3.6.3