CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
8.8CVSS
8.6AI Score
0.032EPSS
The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
7.5CVSS
7.3AI Score
0.067EPSS
CakePHP is a development framework for PHP web apps. In affected versions the Cake\Database\Query::limit() and Cake\Database\Query::offset() methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10. Users are advised to up...
9.8CVSS
9.8AI Score
0.002EPSS