GHSA-j9q2-f9q7-jhgq

Suggest an improvement
Source
https://github.com/advisories/GHSA-j9q2-f9q7-jhgq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-j9q2-f9q7-jhgq/GHSA-j9q2-f9q7-jhgq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j9q2-f9q7-jhgq
Published
2023-01-20T23:22:09Z
Modified
2024-11-29T05:30:18.498335Z
Summary
CakePHP SecurityComponent cross form submission issue
Details

Prior to versions 2.4.8 and 1.3.18, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent’s tampering protection. If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-20T23:22:09Z"
}
References

Affected packages

Packagist / cakephp/cakephp

Package

Name
cakephp/cakephp
Purl
pkg:composer/cakephp/cakephp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.4.8

Affected versions

2.*

2.4.5
2.4.6
2.4.7

Packagist / cakephp/cakephp

Package

Name
cakephp/cakephp
Purl
pkg:composer/cakephp/cakephp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.18