CSRF Protection Bypass in CakePHP Versions 2.x and 3.x
CVE-2015-8379

8.8HIGH

Key Information:

Vendor

CakePHP

Status
CakePHP
Vendor
CVE Published:
26 January 2016

What is CVE-2015-8379?

Earlier versions of CakePHP, specifically 2.x and 3.x prior to 3.1.5, exhibit a flaw in their Cross-Site Request Forgery (CSRF) protection mechanism. This vulnerability allows remote attackers to exploit the _method parameter, potentially bypassing intended security controls. This exploitation can lead to unauthorized actions being performed on behalf of legitimate users, thereby compromising application integrity and user safety.

References

http://packetstormsecurity.com/files/135301/CakePHP-3.2.0...
x_refsource_MISC
http://blog.mindedsecurity.com/2016/01/request-parameter-...
x_refsource_MISC
http://www.securityfocus.com/archive/1/537317/100/0/threaded
mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.