Skip to content

3.6.0

Choose a tag to compare

View all tags
@dereuromark dereuromark released this 24 Nov 22:27
· 33 commits to master since this release
3.6.0
c55432c

Improvements

  • Fixed Remote Code Execution (RCE) vulnerability in ObjectType deserialization

    • Implemented whitelist-based deserialization to prevent object injection attacks
    • Now only allows safe classes (DateTime, DateTimeImmutable, and CakePHP I18n classes)
    • Impact: Prevents arbitrary code execution through malicious serialized data

  • Fixed Path Traversal vulnerability in GoogleMapHelper::icon()

    • Added path validation to prevent directory traversal attacks
    • Image paths are now restricted to WWW_ROOT/img/ directory
    • Impact: Prevents unauthorized file system access

  • Fixed SQL Injection vulnerability in GeocoderBehavior::distanceConditions()

    • Added input validation for table and field name parameters
    • Validates identifiers against alphanumeric pattern
    • Impact: Prevents SQL injection through field/table name manipulation

Full Changelog: 3.5.2...3.6.0

Assets 2
Loading