Cross-site Scripting (XSS)

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Edit Email Form Settings feature. An attacker can manipulate the web page content or hijack user sessions. Details Cross-site...

Cross-site Scripting (XSS)

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper handling of slugs on the article editing screen. An attacker can manipulate the output of the page by injecting malicious...

Croogo Code Issues Vulnerabilities

Croogo is a content management system CMS developed on the CakePHP framework. The system provides content type can be customized as Blog, Node, Page, content editing using WYSIWYG editor and other features. Croogo 4.0.7 and earlier versions of the code problem vulnerability , the vulnerability...

PHP 8.3.x < 8.3.6 DoS Vulnerability (GHSA-fjp9-9hwx-59fq) - Linux

PHP is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:php:php"; if description...

CakePHP Test Suite 2.7.0 Cross Site Scripting

==================================================================================================================================== | Title : CakePHP Test Suite v2.7.0 Xss Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 66.0.264-bit | |...

Debian: Security Advisory (DLA-333-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian: Security Advisory (DLA-566-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Remote File Inclusion

cakephp/cakephp is vulnerable to Remote File Inclusion. The vulnerability is due to the getViewFileName function in View.php which allows an attacker to execute arbitrary scripts outside the view path by manipulating view template filenames...

SQL Injection

CakePHP is vulnerable to SQL Injection attacks. The vulnerability exists in limit and offset functions of Query.php due to unsantized user input which allows an attacker to inject and execute arbitrary SQL queries...

Cross-site Scripting (XSS)

cakephp is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of sanitization of HTML elements in the development only missing route and duplicate named route error pages, which can lead to JavaScript injection...

Denial Of Service (DoS)

cakephp/cakephp is vulnerable to Denial Of Service. The vulnerability exists due to the RequestHandlerComponent that leverages Xml::build, which allows an attacker to cause an application crash by reading local files...

Improper Access Control

cakephp/cakephp is vulnerable to Improper Access Control. The vulnerability exists due to mass assignment issues when multiple POST requests manipulate the same model allowing an attacker to perform cross form submissions to the SecurityComponent...

Cross-site Request Forgery (CSRF)

cakephp/cakephp is vulnerable to Cross-Site Request Forgery CSRF. A remote attacker is able to bypass the CSRF protection mechanism via the $cookie variable in validateToken function because CsrfComponent fails to invalidate requests that are missing both the CSRF token, and CSRF post data...

Privilege Escalation

cakephp/cakephp is vulnerable to Privilege Escalation. A remote attacker is able to directly access prefixed actions without setting the correct request parameters due to unconventional URL paths, which allows an attacker to elevate privileges when the authorization depends on the presence of the...

GHSA-XWHJ-PQCG-8RCR CakePHP vulnerable to Cross-site Scripting in some development error pages

CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting XSS vulnerability in the development only missing route and duplicate named route error pages...

CakePHP vulnerable to Cross-site Scripting in some development error pages

CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting XSS vulnerability in the development only missing route and duplicate named route error pages...

GHSA-P76F-WR22-4RV6 CakePHP vulnerable to Remote File Inclusion through View template name manipulation

CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation...

CakePHP vulnerable to Remote File Inclusion through View template name manipulation

CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation...

CakePHP allows direct access of prefixed controller actions

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters...

GHSA-6HG4-VP5Q-47MW CakePHP allows direct access of prefixed controller actions

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters...