Lucene search
GoogleOSV:GHSA-9PGX-PF36-W46RHistoryMay 24, 2022 - 5:40 p.m.
CakePHP allows method override parameters to bypass CSRF checks
2022-05-2417:40:14
Google
osv.dev
9
cakephp
csrfprotectionmiddleware
vulnerability
method override
bypass
csrf checks
http request
route middleware
EPSS
0.001
Percentile
41.8%
A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.
Related
prion
prion
Cross site request forgery (csrf)
2021-01-26 18:15:00
osv
osv
CVE-2020-35239
2021-01-26 18:15:53
debiancve
debiancve
CVE-2020-35239
2021-01-26 18:15:53
cvelist
cvelist
CVE-2020-35239
2021-01-20 23:37:02
nvd
nvd
CVE-2020-35239
2021-01-26 18:15:53
veracode
veracode
Cross-site Request Forgery (CSRF)
2021-01-27 13:26:42
ubuntucve
ubuntucve
CVE-2020-35239
2021-01-26 00:00:00
cve
cve
CVE-2020-35239
2021-01-26 18:15:53
github
github
CakePHP allows method override parameters to bypass CSRF checks
2022-05-24 17:40:14
cakephp
cakephp
CakePHP 4.0.10 Released
2020-12-07 00:00:00