Prior to versions 2.4.8 and 1.3.18, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent’s tampering protection. If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues.

References

• cakephp/cakephp@f23d811
• https://bakery.cakephp.org/2014/04/29/CakePHP-1-3-18-and-2-4-8-released.html
• https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2014-04-29.yaml