CVE-2015-8379
HIGH8.8EPSS 0.06%CakePHP might allow remote attackers to bypass CSRF protection mechanism via the _method parameter
Published: 5/14/2022Modified: 4/28/2026
Description
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
Affected packages (2)
- Debian/cakephpfrom 0, < 2.8.0-1
- Packagist/cakephp/cakephp>= 2.0.0-alpha, < 3.1.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-8379
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-8379
- PATCHhttps://github.com/cakephp/cakephp
- WEBhttp://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
- WEBhttp://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
- WEBhttp://karmainsecurity.com/KIS-2016-01
- WEBhttp://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
- WEBhttp://seclists.org/fulldisclosure/2016/Jan/42
- WEBhttps://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
- WEBhttp://www.securityfocus.com/archive/1/537317/100/0/threaded