CVE-2015-8379

EUVD-2022-2499
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Affected Products (NVD)
VendorProductVersion
cakephpcakephp
2.0.0
cakephpcakephp
2.0.0:alpha
cakephpcakephp
2.0.0:beta
cakephpcakephp
2.0.0:dev
cakephpcakephp
2.0.0:rc1
cakephpcakephp
2.0.0:rc2
cakephpcakephp
2.0.0:rc3
cakephpcakephp
2.0.1
cakephpcakephp
2.0.2
cakephpcakephp
2.0.3
cakephpcakephp
2.0.4
cakephpcakephp
2.0.5
cakephpcakephp
2.0.6
cakephpcakephp
2.1.0
cakephpcakephp
2.1.0:alpha
cakephpcakephp
2.1.0:beta
cakephpcakephp
2.1.0:rc1
cakephpcakephp
2.1.1
cakephpcakephp
2.1.2
cakephpcakephp
2.1.3
cakephpcakephp
2.1.4
cakephpcakephp
2.1.5
cakephpcakephp
2.2.0
cakephpcakephp
2.2.0:beta
cakephpcakephp
2.2.0:rc1
cakephpcakephp
2.2.0:rc2
cakephpcakephp
2.2.1
cakephpcakephp
2.2.2
cakephpcakephp
2.2.3
cakephpcakephp
2.2.4
cakephpcakephp
2.2.5
cakephpcakephp
2.2.6
cakephpcakephp
2.2.7
cakephpcakephp
2.2.8
cakephpcakephp
2.2.9
cakephpcakephp
2.3.0
cakephpcakephp
2.3.0:beta
cakephpcakephp
2.3.0:rc1
cakephpcakephp
2.3.0:rc2
cakephpcakephp
2.3.1
cakephpcakephp
2.3.2
cakephpcakephp
2.3.3
cakephpcakephp
2.3.4
cakephpcakephp
2.3.5
cakephpcakephp
2.3.6
cakephpcakephp
2.3.7
cakephpcakephp
2.3.8
cakephpcakephp
2.3.9
cakephpcakephp
2.3.10
cakephpcakephp
2.4.0
cakephpcakephp
2.4.0:beta
cakephpcakephp
2.4.0:rc1
cakephpcakephp
2.4.0:rc2
cakephpcakephp
2.4.1
cakephpcakephp
2.4.2
cakephpcakephp
2.4.3
cakephpcakephp
2.4.4
cakephpcakephp
2.4.5
cakephpcakephp
2.4.6
cakephpcakephp
2.4.7
cakephpcakephp
2.4.8
cakephpcakephp
2.4.9
cakephpcakephp
2.4.10
cakephpcakephp
2.5.0
cakephpcakephp
2.5.0:beta
cakephpcakephp
2.5.0:rc1
cakephpcakephp
2.5.0:rc2
cakephpcakephp
2.5.1
cakephpcakephp
2.5.2
cakephpcakephp
2.5.3
cakephpcakephp
2.5.4
cakephpcakephp
2.5.5
cakephpcakephp
2.5.6
cakephpcakephp
2.5.7
cakephpcakephp
2.5.8
cakephpcakephp
2.5.9
cakephpcakephp
2.6.0
cakephpcakephp
2.6.0:beta
cakephpcakephp
2.6.0:rc1
cakephpcakephp
2.6.1
cakephpcakephp
2.6.2
cakephpcakephp
2.6.3
cakephpcakephp
2.6.4
cakephpcakephp
2.6.5
cakephpcakephp
2.6.6
cakephpcakephp
2.6.7
cakephpcakephp
2.6.8
cakephpcakephp
2.6.9
cakephpcakephp
2.6.10
cakephpcakephp
2.6.11
cakephpcakephp
2.6.12
cakephpcakephp
2.7.0
cakephpcakephp
2.7.0:rc1
cakephpcakephp
2.7.1
cakephpcakephp
2.7.2
cakephpcakephp
2.7.3
cakephpcakephp
2.7.4
cakephpcakephp
2.7.5
cakephpcakephp
2.7.6
cakephpcakephp
2.7.7
cakephpcakephp
2.7.8
cakephpcakephp
2.7.9
cakephpcakephp
2.8.0:rc1
cakephpcakephp
3.0.0
cakephpcakephp
3.0.0:alpha1
cakephpcakephp
3.0.0:alpha2
cakephpcakephp
3.0.0:beta1
cakephpcakephp
3.0.0:beta2
cakephpcakephp
3.0.0:beta3
cakephpcakephp
3.0.0:dev1
cakephpcakephp
3.0.0:dev2
cakephpcakephp
3.0.0:dev3
cakephpcakephp
3.0.0:rc1
cakephpcakephp
3.0.0:rc2
cakephpcakephp
3.0.1
cakephpcakephp
3.0.2
cakephpcakephp
3.0.3
cakephpcakephp
3.0.4
cakephpcakephp
3.0.5
cakephpcakephp
3.0.6
cakephpcakephp
3.0.7
cakephpcakephp
3.0.8
cakephpcakephp
3.0.9
cakephpcakephp
3.0.10
cakephpcakephp
3.0.11
cakephpcakephp
3.0.12
cakephpcakephp
3.0.13
cakephpcakephp
3.0.14
cakephpcakephp
3.0.15
cakephpcakephp
3.1.0
cakephpcakephp
3.1.0:beta1
cakephpcakephp
3.1.0:beta2
cakephpcakephp
3.1.0:rc1
cakephpcakephp
3.1.1
cakephpcakephp
3.1.2
cakephpcakephp
3.1.3
cakephpcakephp
3.1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cakephp
bullseye
2.10.11-2.1
fixed
jessie
no-dsa
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cakephp
artful
ignored
bionic
dne
cosmic
not-affected
precise
ignored
trusty
dne
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
ignored
zesty
ignored
Common Weakness Enumeration
References
http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
http://karmainsecurity.com/KIS-2016-01
http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
http://seclists.org/fulldisclosure/2016/Jan/42
http://www.securityfocus.com/archive/1/537317/100/0/threaded
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
http://karmainsecurity.com/KIS-2016-01
http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
http://seclists.org/fulldisclosure/2016/Jan/42
http://www.securityfocus.com/archive/1/537317/100/0/threaded
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0