Home > Vulnerability Database > CVE-2020-35239

Mend.io Vulnerability Database

CVE-2020-35239

Good to know:

Date: January 26, 2021

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.

Language: PHP

Severity Score

8.8

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-35239

Url:

Url: https://github.com/cakephp/cakephp/commit/45474a4a9ca10e7c16db40180d086e4144006a9b

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-35239

Url: https://bakery.cakephp.org/2020/12/07/cakephp_4010_released.html

Url: https://security-tracker.debian.org/tracker/CVE-2020-35239

Url: https://github.com/cakephp/cakephp/commit/9e0802f3e4d22bf1fb4d26f0b23a3dec94f0c4b7

Url: https://www.mend.io/vulnerability-database/CVE-2020-35239

Severity Score

8.8

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Top Fix

Upgrade Version

Upgrade to version 4.0.10,4.1.4

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-35239

Good to know:

Date: January 26, 2021

Language: PHP

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?