CVE-2015-8379
HIGHCakePHP 2.x and 3.x < 3.1.5 - Cross-Site Request Forgery Bypass via _method Parameter
Title source: llmDescription
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
References (7)
Core 7
Core References
Exploit x_refsource_misc
http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
Exploit x_refsource_misc
http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537317/100/0/threaded
Vendor Advisory x_refsource_confirm
http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/Jan/42
Patch x_refsource_confirm
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
Exploit x_refsource_misc
http://karmainsecurity.com/KIS-2016-01
Scores
CVSS v3
8.8
EPSS
0.0140
EPSS Percentile
69.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (35)
cakephp/cakephp
2.0.0 (7 CPE variants)
cakephp/cakephp
2.0.1
cakephp/cakephp
2.0.2
cakephp/cakephp
2.0.3
cakephp/cakephp
2.0.4
cakephp/cakephp
2.0.5
cakephp/cakephp
2.0.6
cakephp/cakephp
2.1.0 (4 CPE variants)
cakephp/cakephp
2.1.1
cakephp/cakephp
2.1.2
... and 25 more
Published
Jan 26, 2016
Tracked Since
Feb 18, 2026