Input validation error in CakePHP - CVE-2019-11458
Published: May 8, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35925
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-11458
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: CakePHP
Affected software:
CakePHP
CakePHP
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.
How to mitigate CVE-2019-11458
Install update from vendor's website.
Sources
- https://bakery.cakephp.org/2019/04/23/cakephp_377_3615_3518_released.html
- https://github.com/cakephp/cakephp/commit/1a74e798309192a9895c9cedabd714ceee345f4e
- https://github.com/cakephp/cakephp/commits/master
- https://github.com/cakephp/cakephp/compare/3.7.6...3.7.7
- https://github.com/cakephp/cakephp/releases