GHSA-9PGX-PF36-W46R CakePHP allows method override parameters to bypass CSRF checks

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, t...

CakePHP 3.10.3 Released

CakePHP 3.10.3 Released The CakePHP core team is happy to announce the immediate availability of CakePHP 3.10.3. This is a maintenance and security release for the 3.10 branch that fixes a couple community reported issues, and patches a security vulnerability. Security Fixes The 3.10.3 release...

Cross-site Request Forgery (CSRF)

cakephp/cakephp is vulnerable to cross-site request forgery. The vulnerability exists because of the lack of verification to check a CsrfProtectionMiddleware component which bypass CSRP checks by changing HTTP request method to arbitrary string that is not in the list of request methods...

PT-2021-11738 · Cakephp · Cakephp

Name of the Vulnerable Software and Affected Versions: CakePHP versions 4.0.x through 4.1.3 Description: A vulnerability exists in the CsrfProtectionMiddleware component, allowing method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is n...

CakePHP 4.0.10 Released

CakePHP 4.0.10 Released The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.10. This release contains security fixes and is a recommended upgrade for all applications still using 4.0.x. The security fixes address a vulnerability in the CsrfProtectionMiddleware tha...