Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. cakephp/cakephp
  4. ›
  5. GMS-2023-70

GMS-2023-70: CakePHP vulnerable to Remote File Inclusion through View template name manipulation

January 20, 2023 (updated March 27, 2023)

CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation.

References

  • bakery.cakephp.org/2015/11/05/cakephp_3015_314_2612_276_released.html
  • github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-11-05.yaml
  • github.com/advisories/GHSA-p76f-wr22-4rv6
  • github.com/cakephp/cakephp/commit/5e60cc5d182e6131e3fbdfdf69f49d560c9ff78b

Code Behaviors & Features

Detect and mitigate GMS-2023-70 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 2.0.0 before 2.0.99, all versions starting from 2.1.0 before 2.1.99, all versions starting from 2.2.0 before 2.2.99, all versions starting from 2.3.0 before 2.3.99, all versions starting from 2.4.0 before 2.4.99, all versions starting from 2.5.0 before 2.5.99, all versions starting from 2.6.0 before 2.6.12, all versions starting from 2.7.0 before 2.7.6, all versions starting from 3.0.0 before 3.0.15, all versions starting from 3.1.0 before 3.1.4

Fixed versions

  • 2.0.99
  • 2.1.99
  • 2.2.99
  • 2.3.99
  • 2.4.99
  • 2.5.99
  • 2.6.12
  • 2.7.6
  • 3.0.15
  • 3.1.4

Solution

Upgrade to versions 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, 2.7.6, 3.0.15, 3.1.4 or above.

Source file

packagist/cakephp/cakephp/GMS-2023-70.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:19 +0000.