VulnerableCode Package Details - pkg:composer/cakephp/cakephp@3.0.0-RC1

Search for packages

Vulnerability	Summary	Fixed by
VCID-251n-1k53-57dd Aliases: CVE-2015-8379 GHSA-556q-h4vr-pgh2	CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.	3.1.5 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3cx6-dpsf-xkhw Aliases: CVE-2016-4793 GHSA-j8p3-8m69-2hqq	The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.	3.0.17 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.1.12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-74cw-ufme-5yfh Aliases: CVE-2020-15400 GHSA-j33j-fg2g-mcv2	CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.	3.10.3 Affected by 0 other vulnerabilities. 4.0.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-251n-1k53-57dd
Aliases:
CVE-2015-8379
GHSA-556q-h4vr-pgh2

CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.

3.1.5
Affected by 3 other vulnerabilities.

VCID-3cx6-dpsf-xkhw
Aliases:
CVE-2016-4793
GHSA-j8p3-8m69-2hqq

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.

3.0.17
Affected by 4 other vulnerabilities.

3.1.12
Affected by 3 other vulnerabilities.

3.2.5
Affected by 2 other vulnerabilities.

VCID-74cw-ufme-5yfh
Aliases:
CVE-2020-15400
GHSA-j33j-fg2g-mcv2

CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.

3.10.3
Affected by 0 other vulnerabilities.

4.0.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-pjc3-66nj-mqe6	PHP Remote File Inclusion Remote File Inclusion through View template name manipulation.	GMS-2015-64
VCID-pndg-eaey-2ydk	Potential direct access to prefixed actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.	GMS-2015-17
VCID-tuaz-rx17-huc6	Direct access of prefixed controller actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.	GMS-2015-63
VCID-ufhs-run3-kqag	Unreliable data validation There's a flow in Validation::compare() and Validation::range() that makes possible to pass validation criteria using crafted data.	GMS-2015-18
VCID-yrzx-r3q3-43ej	Unsafe view template filenames result in a Remote File Inclusion vulnerability.	GMS-2015-41
VCID-yzq8-e9u1-3bbe	Uncontrolled Resource Consumption Denial of Service attack through XML payloads	GMS-2015-62

Vulnerability

Summary

Aliases

VCID-pjc3-66nj-mqe6

PHP Remote File Inclusion Remote File Inclusion through View template name manipulation.

GMS-2015-64

VCID-pndg-eaey-2ydk

Potential direct access to prefixed actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.

GMS-2015-17

VCID-tuaz-rx17-huc6

Direct access of prefixed controller actions Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.

GMS-2015-63

VCID-ufhs-run3-kqag

Unreliable data validation There's a flow in Validation::compare() and Validation::range() that makes possible to pass validation criteria using crafted data.

GMS-2015-18

VCID-yrzx-r3q3-43ej

Unsafe view template filenames result in a Remote File Inclusion vulnerability.

GMS-2015-41

VCID-yzq8-e9u1-3bbe

Uncontrolled Resource Consumption Denial of Service attack through XML payloads

GMS-2015-62

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T18:12:29.361889+00:00	GitLab Importer	Affected by	VCID-251n-1k53-57dd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2015-8379.yml	38.6.0
2026-06-12T17:22:16.025322+00:00	GitLab Importer	Affected by	VCID-74cw-ufme-5yfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2020-15400.yml	38.6.0
2026-06-12T16:52:17.932851+00:00	GitLab Importer	Affected by	VCID-3cx6-dpsf-xkhw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2016-4793.yml	38.6.0
2026-06-12T16:48:57.800964+00:00	GitLab Importer	Fixing	VCID-yrzx-r3q3-43ej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-41.yml	38.6.0
2026-06-12T16:48:57.392364+00:00	GitLab Importer	Fixing	VCID-pjc3-66nj-mqe6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-64.yml	38.6.0
2026-06-12T16:48:41.248576+00:00	GitLab Importer	Fixing	VCID-tuaz-rx17-huc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-63.yml	38.6.0
2026-06-12T16:48:40.957767+00:00	GitLab Importer	Fixing	VCID-pndg-eaey-2ydk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-17.yml	38.6.0
2026-06-12T16:48:40.662107+00:00	GitLab Importer	Fixing	VCID-ufhs-run3-kqag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-18.yml	38.6.0
2026-06-12T16:48:30.316037+00:00	GitLab Importer	Fixing	VCID-yzq8-e9u1-3bbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/GMS-2015-62.yml	38.6.0