cakephp/cakephp Security Advisories for 2.5.0-RC2 (6)
-
[HIGH] CakePHP might allow remote attackers to bypass CSRF protection mechanism via the _method parameter
PKSA-hv96-tqmc-t3j9 CVE-2015-8379 GHSA-556q-h4vr-pgh2
Affected version: >=2.0.0-alpha,<3.1.5
Reported by:
GitHub -
[HIGH] CakePHP allows remote attackers to spoof their IP
PKSA-22c4-k52d-35hx CVE-2016-4793 GHSA-j8p3-8m69-2hqq
Affected version: >=3.2.0-rc1,<3.2.5|>=3.1.0-beta1,<3.1.12|>=3.0.0-rc1,<3.0.17|>=2.8.0-rc1,<2.8.2|>=2.7.0-rc1,<2.7.11|>=1.2.0,<2.6.13
Reported by:
GitHub -
[MEDIUM] Cross-Site Request Forgery in CakePHP
PKSA-8jvz-y796-qyx9 CVE-2020-15400 GHSA-j33j-fg2g-mcv2
Affected version: <3.10.3|>=4.0.0,<4.0.6
Reported by:
GitHub -
[MEDIUM] Remote File Inclusion through View template name manipulation
PKSA-2hqh-1wcb-3xv1 GHSA-6hg4-vp5q-47mw
Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.99|>=2.3.0,<2.3.99|>=2.4.0,<2.4.99|>=2.5.0,<2.5.99|>=2.6.0,<2.6.12|>=2.7.0,<2.7.6|>=3.0.0,<3.0.15|>=3.1.0,<3.1.4
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Direct access of prefixed controller actions
PKSA-rxqv-21q6-c8p8 GHSA-j9q2-f9q7-jhgq
Affected version: >=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.99|>=2.3.0,<2.3.99|>=2.4.0,<2.4.99|>=2.5.0,<2.5.9|>=2.6.0,<2.6.11|>=2.7.0,<2.7.2
Reported by:
FriendsOfPHP/security-advisories, GitHub -
[MEDIUM] Denial of Service attack through XML payloads
PKSA-xk7x-9sn9-kdzr GHSA-p76f-wr22-4rv6
Affected version: >=3.0.0,<3.0.6|>=2.0.0,<2.0.99|>=2.1.0,<2.1.99|>=2.2.0,<2.2.99|>=2.3.0,<2.3.99|>=2.4.0,<2.4.99|>=2.5.0,<2.5.90|>=2.6.0,<2.6.6
Reported by:
FriendsOfPHP/security-advisories, GitHub