Skip to content

CakePHP allows direct access of prefixed controller actions

Moderate severity GitHub Reviewed Published Jan 20, 2023 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

composer cakephp/cakephp (Composer)

Affected versions

>= 2.0.0, < 2.0.99
>= 2.1.0, < 2.1.99
>= 2.2.0, < 2.2.99
>= 2.3.0, < 2.3.99
>= 2.4.0, < 2.4.99
>= 2.5.0, < 2.5.9
>= 2.6.0, < 2.6.11
>= 2.7.0, < 2.7.2

Patched versions

2.0.99
2.1.99
2.2.99
2.3.99
2.4.99
2.5.9
2.6.11
2.7.2

Description

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters.

References

Published to the GitHub Advisory Database Jan 20, 2023
Reviewed Jan 20, 2023
Last updated Jan 20, 2023

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-6hg4-vp5q-47mw

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.