CVE-2020-35239
HIGHCakePHP 4.0.0-4.1.3 - Cross-Site Request Forgery Bypass via Method Override Parameter
Title source: llmDescription
A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://bakery.cakephp.org/2020/12/07/cakephp_4010_released.html
Scores
CVSS v3
8.8
EPSS
0.0060
EPSS Percentile
44.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (2)
cakephp/cakephp
4.0.0 - 4.0.10Packagist
cakephp/cakephp
4.0.0 - 4.1.3
Published
Jan 26, 2021
Tracked Since
Feb 18, 2026