Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-333-1 cakephp

Debian Security Advisory

DLA-333-1 cakephp -- LTS security update

Date Reported:

23 Oct 2015

Affected Packages:

cakephp

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

CakePHP, an open-source web application framework for PHP, was vulnerable to SSRF (Server Side Request Forgery) attacks. Remote attacker can utilize it for at least DoS (Denial of Service) attacks, if the target application accepts XML as an input. It is caused by insecure design of Cake's Xml class.

For Debian 6 Squeeze, this issue has been fixed in cakephp version 1.3.2-1.1+deb6u11.