Skip to content

CakePHP vulnerable to Cross-site Scripting in some development error pages

Moderate severity GitHub Reviewed Published Jan 20, 2023 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

composer cakephp/cakephp (Composer)

Affected versions

>= 3.4.0, < 3.4.14
>= 3.5.0, < 3.5.17
>= 3.6.0, < 3.6.4

Patched versions

3.4.14
3.5.17
3.6.4

Description

CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting (XSS) vulnerability in the development only missing route and duplicate named route error pages.

References

Published to the GitHub Advisory Database Jan 20, 2023
Reviewed Jan 20, 2023
Last updated Jan 20, 2023

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-xwhj-pqcg-8rcr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.