Skip to content

CakePHP has incorrect Cross-Site Request Forgery validation

Moderate severity GitHub Reviewed Published Jan 20, 2023 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

composer cakephp/cakephp (Composer)

Affected versions

>= 3.0.0, < 3.0.4

Patched versions

3.0.4

Description

CsrfComponent fails to invalidate requests that are missing both the CSRF token, and CSRF post data.

References

Published to the GitHub Advisory Database Jan 20, 2023
Reviewed Jan 20, 2023
Last updated Jan 20, 2023

Severity

Moderate

EPSS score

Weaknesses

Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-829q-v5g8-hhxc

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.