GMS-2023-70: CakePHP vulnerable to Remote File Inclusion through View template name manipulation

January 20, 2023 (updated March 27, 2023)

CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation.

References

bakery.cakephp.org/2015/11/05/cakephp_3015_314_2612_276_released.html
github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-11-05.yaml
github.com/advisories/GHSA-p76f-wr22-4rv6
github.com/cakephp/cakephp/commit/5e60cc5d182e6131e3fbdfdf69f49d560c9ff78b

Code Behaviors & Features

Detect and mitigate GMS-2023-70 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →