Description

CakePHP is a rapid development framework for PHP that provides an extensible architecture for developing, maintaining, and deploying applications. Using commonly known design patterns like MVC and ORM within the convention over configuration paradigm, CakePHP reduces development costs and helps developers write less code.

CakePHP is vulnerable to a file inclusion attack because of its use of the "unserialize()" function on unchecked user input. This makes it possible to inject arbitary objects into the scope.

Remediation

Upgrade CakePHP to the latest version.

References

CakePHP <= 1.3.5 / 1.2.8 unserialize() Vulnerability

CakePHP website

Related Vulnerabilities

PostgreSQL Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2023-39417)

WebLogic Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2019-2725)

MySQL CVE-2021-35608 Vulnerability (CVE-2021-35608)

OpenSSL NULL Pointer Dereference Vulnerability (CVE-2008-1672)

PrestaShop CVE-2023-39529 Vulnerability (CVE-2023-39529)

Severity

High

Classification

CVE-2010-4335 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities Insecure Deserialization