CVE-2020-35239

HIGH

CakePHP 4.0.0-4.1.3 - Cross-Site Request Forgery Bypass via Method Override Parameter

Title source: llm
STIX 2.1

Description

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0060
EPSS Percentile 44.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (2)
cakephp/cakephp 4.0.0 - 4.0.10Packagist
cakephp/cakephp 4.0.0 - 4.1.3
Published Jan 26, 2021
Tracked Since Feb 18, 2026