GMS-2023-69: CakePHP SecurityComponent cross form submission issue

January 20, 2023

Prior to versions 2.4.8 and 1.3.18, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent’s tampering protection. If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues.

References

bakery.cakephp.org/2014/04/29/CakePHP-1-3-18-and-2-4-8-released.html
github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2014-04-29.yaml
github.com/advisories/GHSA-j9q2-f9q7-jhgq
github.com/cakephp/cakephp/commit/f23d811ff59c50ef278e98bb75f4ec1e7e54a5b3

Detect and mitigate GMS-2023-69 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →