Skip to content

CakePHP vulnerable to Remote File Inclusion through View template name manipulation

Moderate severity GitHub Reviewed Published Jan 20, 2023 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

composer cakephp/cakephp (Composer)

Affected versions

>= 2.0.0, < 2.0.99
>= 2.1.0, < 2.1.99
>= 2.2.0, < 2.2.99
>= 2.3.0, < 2.3.99
>= 2.4.0, < 2.4.99
>= 2.5.0, < 2.5.99
>= 2.6.0, < 2.6.12
>= 2.7.0, < 2.7.6
>= 3.0.0, < 3.0.15
>= 3.1.0, < 3.1.4

Patched versions

2.0.99
2.1.99
2.2.99
2.3.99
2.4.99
2.5.99
2.6.12
2.7.6
3.0.15
3.1.4

Description

CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation.

References

Published to the GitHub Advisory Database Jan 20, 2023
Reviewed Jan 20, 2023
Last updated Jan 20, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-p76f-wr22-4rv6

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.