Search for packages
| purl | pkg:composer/cakephp/cakephp@2.6.0-RC1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-251n-1k53-57dd
Aliases: CVE-2015-8379 GHSA-556q-h4vr-pgh2 |
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter. |
Affected by 3 other vulnerabilities. |
|
VCID-3cx6-dpsf-xkhw
Aliases: CVE-2016-4793 GHSA-j8p3-8m69-2hqq |
The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-74cw-ufme-5yfh
Aliases: CVE-2020-15400 GHSA-j33j-fg2g-mcv2 |
CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-yrzx-r3q3-43ej
Aliases: GMS-2015-41 |
Unsafe view template filenames result in a Remote File Inclusion vulnerability. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4nzp-mvbw-5kax | CakePHP vulnerable to Denial of Service attack through XML payloads RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages `Xml::build()` which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads. |
GHSA-q79m-c546-2g63
GMS-2023-71 |
| VCID-nsq5-7j7c-hbak | CakePHP vulnerable to Remote File Inclusion through View template name manipulation CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation. |
GHSA-p76f-wr22-4rv6
GMS-2023-70 |
| VCID-pjc3-66nj-mqe6 | PHP Remote File Inclusion Remote File Inclusion through View template name manipulation. |
GMS-2015-64
|
| VCID-pndg-eaey-2ydk | Potential direct access to prefixed actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible. |
GMS-2015-17
|
| VCID-tuaz-rx17-huc6 | Direct access of prefixed controller actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible. |
GMS-2015-63
|
| VCID-ufhs-run3-kqag | Unreliable data validation There's a flow in Validation::compare() and Validation::range() that makes possible to pass validation criteria using crafted data. |
GMS-2015-18
|
| VCID-yzq8-e9u1-3bbe | Uncontrolled Resource Consumption Denial of Service attack through XML payloads |
GMS-2015-62
|