SB2019050806 - Input validation error in CakePHP
Published: May 8, 2019 Updated: August 8, 2020
Security Bulletin ID
SB2019050806
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2019-11458)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.
Remediation
Install update from vendor's website.
References
- https://bakery.cakephp.org/2019/04/23/cakephp_377_3615_3518_released.html
- https://github.com/cakephp/cakephp/commit/1a74e798309192a9895c9cedabd714ceee345f4e
- https://github.com/cakephp/cakephp/commits/master
- https://github.com/cakephp/cakephp/compare/3.7.6...3.7.7
- https://github.com/cakephp/cakephp/releases