VulnerableCode Package Details - pkg:composer/cakephp/cakephp@3.0.17

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/cakephp/cakephp@3.0.17

Essentials
History (5)

purl	pkg:composer/cakephp/cakephp@3.0.17

Next non-vulnerable version	3.10.3
Latest non-vulnerable version	5.3.1
Risk	10.0

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-84hg-51gr-2qhx Aliases: CVE-2015-8379 GHSA-556q-h4vr-pgh2	Cross-Site Request Forgery (CSRF) CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.	3.1.5 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cp8q-ar71-mqdf Aliases: CVE-2020-15400 GHSA-j33j-fg2g-mcv2	Cross-Site Request Forgery (CSRF) CakePHP mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.	3.10.3 Affected by 0 other vulnerabilities. 4.0.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-dha1-eyc9-7qff Aliases: CVE-2019-11458 GHSA-qhrx-hcm6-pmrw	Unsafe deserialization in SmtpTransport in CakePHP An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.	3.5.18 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.6.15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.7.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-f8wn-raej-7qg4 Aliases: CVE-2016-4793 GHSA-j8p3-8m69-2hqq	Improper Input Validation The `clientIp` function in CakePHP allows remote attackers to spoof their IP via the `CLIENT-IP` HTTP header.	3.1.12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-f8wn-raej-7qg4	Improper Input Validation The `clientIp` function in CakePHP allows remote attackers to spoof their IP via the `CLIENT-IP` HTTP header.	CVE-2016-4793 GHSA-j8p3-8m69-2hqq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T02:01:06.548103+00:00	GitLab Importer	Affected by	VCID-84hg-51gr-2qhx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2015-8379.yml	38.6.0
2026-06-04T20:32:20.953276+00:00	GitLab Importer	Affected by	VCID-cp8q-ar71-mqdf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2020-15400.yml	38.6.0
2026-06-04T20:25:47.783897+00:00	GitLab Importer	Affected by	VCID-dha1-eyc9-7qff	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2019-11458.yml	38.6.0
2026-06-04T20:07:29.752775+00:00	GitLab Importer	Affected by	VCID-f8wn-raej-7qg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cakephp/cakephp/CVE-2016-4793.yml	38.6.0
2026-06-04T18:03:48.335866+00:00	GithubOSV Importer	Fixing	VCID-f8wn-raej-7qg4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j8p3-8m69-2hqq/GHSA-j8p3-8m69-2hqq.json	38.6.0