GHSA-g2vx-8v47-4vhh, CVE-2010-4335
packagist/cakephp/cakephp
Improper Input Validation
The validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the filemap cache to execute arbitrary local files.
All versions starting from 1.2.8 before 1.3.6
Upgrade to version 1.3.6 or above.
2023-01-16
source |