VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-3cx6-dpsf-xkhw

Essentials
Severities (19)
References (13)
Severity details (17)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-3cx6-dpsf-xkhw
Aliases	CVE-2016-4793 GHSA-j8p3-8m69-2hqq
Summary	The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
Status	Published
Exploitability	2.0
Weighted Severity	8.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-20	Improper Input Validation
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	7.5	http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
generic_textual	HIGH	http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
epss	0.08275	https://api.first.org/data/v1/epss?cve=CVE-2016-4793
epss	0.08275	https://api.first.org/data/v1/epss?cve=CVE-2016-4793
cvssv3.1	7.5	https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
generic_textual	HIGH	https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-j8p3-8m69-2hqq
cvssv3.1	7.5	https://github.com/cakephp/cakephp
generic_textual	HIGH	https://github.com/cakephp/cakephp
cvssv3.1	7.5	https://github.com/cakephp/cakephp/commit/908754649f70bab2b1093942e17c9a46a2fcf6c2
generic_textual	HIGH	https://github.com/cakephp/cakephp/commit/908754649f70bab2b1093942e17c9a46a2fcf6c2
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2016-4793
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2016-4793
cvssv3.1	7.5	https://support.citrix.com/article/CTX236992
generic_textual	HIGH	https://support.citrix.com/article/CTX236992
cvssv3.1	7.5	https://www.exploit-db.com/exploits/39813
generic_textual	HIGH	https://www.exploit-db.com/exploits/39813
cvssv3.1	7.5	http://www.securityfocus.com/bid/95846
generic_textual	HIGH	http://www.securityfocus.com/bid/95846

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2016-4793
		https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4793
		https://github.com/cakephp/cakephp
		https://github.com/cakephp/cakephp/commit/908754649f70bab2b1093942e17c9a46a2fcf6c2
		https://nvd.nist.gov/vuln/detail/CVE-2016-4793
		https://support.citrix.com/article/CTX236992
		https://www.exploit-db.com/exploits/39813
		https://www.exploit-db.com/exploits/39813/
		http://www.securityfocus.com/bid/95846
CVE-2016-4793	Exploit	http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
CVE-2016-4793	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/39813.txt
GHSA-j8p3-8m69-2hqq		https://github.com/advisories/GHSA-j8p3-8m69-2hqq

Data source	Exploit-DB
Date added	May 16, 2016
Description	CakePHP Framework 3.2.4 - IP Spoofing
Ransomware campaign use	Unknown
Source publication date	May 16, 2016
Exploit type	webapps
Platform	php
Source update date	May 16, 2016
Source URL	http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/cakephp/cakephp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/cakephp/cakephp/commit/908754649f70bab2b1093942e17c9a46a2fcf6c2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-4793

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://support.citrix.com/article/CTX236992

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.exploit-db.com/exploits/39813

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.securityfocus.com/bid/95846

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.92426
EPSS Score	0.08275
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T20:25:47.978230+00:00	Debian Oval Importer	Import	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0