Vulnerability Description
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
CVSS Score
8.8
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cakephp | Cakephp | 2.0.0 |
Related Weaknesses (CWE)
References
- http://bakery.cakephp.org/2015/11/29/cakephp_315_released.htmlVendor Advisory
- http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.htmlExploit
- http://karmainsecurity.com/KIS-2016-01Exploit
- http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.htmlExploit
- http://seclists.org/fulldisclosure/2016/Jan/42Exploit
- http://www.securityfocus.com/archive/1/537317/100/0/threaded
- https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230Patch
- http://bakery.cakephp.org/2015/11/29/cakephp_315_released.htmlVendor Advisory
- http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.htmlExploit
- http://karmainsecurity.com/KIS-2016-01Exploit
- http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.htmlExploit
- http://seclists.org/fulldisclosure/2016/Jan/42Exploit
- http://www.securityfocus.com/archive/1/537317/100/0/threaded
- https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230Patch
FAQ
What is CVE-2015-8379?
CVE-2015-8379 is a vulnerability with a CVSS score of 8.8 (HIGH). CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
How severe is CVE-2015-8379?
CVE-2015-8379 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8379?
Check the references section above for vendor advisories and patch information. Affected products include: Cakephp Cakephp.