CVE-2015-8379

CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
cakephpcakephp
2.0.0
cakephpcakephp
2.0.0:alpha
cakephpcakephp
2.0.0:beta
cakephpcakephp
2.0.0:dev
cakephpcakephp
2.0.0:rc1
cakephpcakephp
2.0.0:rc2
cakephpcakephp
2.0.0:rc3
cakephpcakephp
2.0.1
cakephpcakephp
2.0.2
cakephpcakephp
2.0.3
cakephpcakephp
2.0.4
cakephpcakephp
2.0.5
cakephpcakephp
2.0.6
cakephpcakephp
2.1.0
cakephpcakephp
2.1.0:alpha
cakephpcakephp
2.1.0:beta
cakephpcakephp
2.1.0:rc1
cakephpcakephp
2.1.1
cakephpcakephp
2.1.2
cakephpcakephp
2.1.3
cakephpcakephp
2.1.4
cakephpcakephp
2.1.5
cakephpcakephp
2.2.0
cakephpcakephp
2.2.0:beta
cakephpcakephp
2.2.0:rc1
cakephpcakephp
2.2.0:rc2
cakephpcakephp
2.2.1
cakephpcakephp
2.2.2
cakephpcakephp
2.2.3
cakephpcakephp
2.2.4
cakephpcakephp
2.2.5
cakephpcakephp
2.2.6
cakephpcakephp
2.2.7
cakephpcakephp
2.2.8
cakephpcakephp
2.2.9
cakephpcakephp
2.3.0
cakephpcakephp
2.3.0:beta
cakephpcakephp
2.3.0:rc1
cakephpcakephp
2.3.0:rc2
cakephpcakephp
2.3.1
cakephpcakephp
2.3.2
cakephpcakephp
2.3.3
cakephpcakephp
2.3.4
cakephpcakephp
2.3.5
cakephpcakephp
2.3.6
cakephpcakephp
2.3.7
cakephpcakephp
2.3.8
cakephpcakephp
2.3.9
cakephpcakephp
2.3.10
cakephpcakephp
2.4.0
cakephpcakephp
2.4.0:beta
cakephpcakephp
2.4.0:rc1
cakephpcakephp
2.4.0:rc2
cakephpcakephp
2.4.1
cakephpcakephp
2.4.2
cakephpcakephp
2.4.3
cakephpcakephp
2.4.4
cakephpcakephp
2.4.5
cakephpcakephp
2.4.6
cakephpcakephp
2.4.7
cakephpcakephp
2.4.8
cakephpcakephp
2.4.9
cakephpcakephp
2.4.10
cakephpcakephp
2.5.0
cakephpcakephp
2.5.0:beta
cakephpcakephp
2.5.0:rc1
cakephpcakephp
2.5.0:rc2
cakephpcakephp
2.5.1
cakephpcakephp
2.5.2
cakephpcakephp
2.5.3
cakephpcakephp
2.5.4
cakephpcakephp
2.5.5
cakephpcakephp
2.5.6
cakephpcakephp
2.5.7
cakephpcakephp
2.5.8
cakephpcakephp
2.5.9
cakephpcakephp
2.6.0
cakephpcakephp
2.6.0:beta
cakephpcakephp
2.6.0:rc1
cakephpcakephp
2.6.1
cakephpcakephp
2.6.2
cakephpcakephp
2.6.3
cakephpcakephp
2.6.4
cakephpcakephp
2.6.5
cakephpcakephp
2.6.6
cakephpcakephp
2.6.7
cakephpcakephp
2.6.8
cakephpcakephp
2.6.9
cakephpcakephp
2.6.10
cakephpcakephp
2.6.11
cakephpcakephp
2.6.12
cakephpcakephp
2.7.0
cakephpcakephp
2.7.0:rc1
cakephpcakephp
2.7.1
cakephpcakephp
2.7.2
cakephpcakephp
2.7.3
cakephpcakephp
2.7.4
cakephpcakephp
2.7.5
cakephpcakephp
2.7.6
cakephpcakephp
2.7.7
cakephpcakephp
2.7.8
cakephpcakephp
2.7.9
cakephpcakephp
2.8.0:rc1
cakephpcakephp
3.0.0
cakephpcakephp
3.0.0:alpha1
cakephpcakephp
3.0.0:alpha2
cakephpcakephp
3.0.0:beta1
cakephpcakephp
3.0.0:beta2
cakephpcakephp
3.0.0:beta3
cakephpcakephp
3.0.0:dev1
cakephpcakephp
3.0.0:dev2
cakephpcakephp
3.0.0:dev3
cakephpcakephp
3.0.0:rc1
cakephpcakephp
3.0.0:rc2
cakephpcakephp
3.0.1
cakephpcakephp
3.0.2
cakephpcakephp
3.0.3
cakephpcakephp
3.0.4
cakephpcakephp
3.0.5
cakephpcakephp
3.0.6
cakephpcakephp
3.0.7
cakephpcakephp
3.0.8
cakephpcakephp
3.0.9
cakephpcakephp
3.0.10
cakephpcakephp
3.0.11
cakephpcakephp
3.0.12
cakephpcakephp
3.0.13
cakephpcakephp
3.0.14
cakephpcakephp
3.0.15
cakephpcakephp
3.1.0
cakephpcakephp
3.1.0:beta1
cakephpcakephp
3.1.0:beta2
cakephpcakephp
3.1.0:rc1
cakephpcakephp
3.1.1
cakephpcakephp
3.1.2
cakephpcakephp
3.1.3
cakephpcakephp
3.1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cakephp
bullseye
2.10.11-2.1
fixed
jessie
no-dsa
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cakephp
cosmic
not-affected
bionic
dne
artful
ignored
zesty
ignored
yakkety
ignored
xenial
not-affected
wily
ignored
vivid
ignored
trusty
dne
precise
ignored
Common Weakness Enumeration
References
http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
http://karmainsecurity.com/KIS-2016-01
http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
http://seclists.org/fulldisclosure/2016/Jan/42
http://www.securityfocus.com/archive/1/537317/100/0/threaded
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
http://karmainsecurity.com/KIS-2016-01
http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
http://seclists.org/fulldisclosure/2016/Jan/42
http://www.securityfocus.com/archive/1/537317/100/0/threaded
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0