CVE-2020-15400

CakePHP before 4.0.6 mishandles CSRF token generation, potentially allowing remote exploitation in conjunction with XSS. Affected software is CakePHP prior to 4.0.6; the issue is tied to CSRF token handling, not general input validation. Remediation mentioned in public release is to upgrade to Ca...

CVE-2010-4335

CakePHP 1.2.8 and 1.3.x up to 1.3.5 are affected. The _validatePost function in libs/controller/components/security.php processes a crafted data[_Token][fields] value with unserialize, allowing remote attackers to modify the internal Cake cache and execute arbitrary code (demonstrated via modifyi...

CVE-2012-4399

The CVE-2012-4399 issue affects CakePHP’s Xml class: versions 2.1.x prior to 2.1.5 and 2.2.x prior to 2.2.1 are vulnerable to an XML external entity (XXE) injection that lets remote attackers read arbitrary files via XML data containing external entity references. Root cause is improper handling ...