CVE-2010-4335

Improper Input Validation in packagist/cakephp/cakephp

Identifiers

GHSA-g2vx-8v47-4vhh, CVE-2010-4335

Package Slug

packagist/cakephp/cakephp

Vulnerability

Improper Input Validation

Description

The validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the filemap cache to execute arbitrary local files.

Affected Versions

All versions starting from 1.2.8 before 1.3.6

Solution

Upgrade to version 1.3.6 or above.

Last Modified

2023-01-16

source