Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-4793 — Improper Input Validation in Cakephp

CWE-20 — Improper Input Validation7 documents6 sources

Severity

7.5HIGHNVD

EPSS

8.3%

top 7.75%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cakephp Debian Cakephp Citrix Sd-wan +2 more

Timeline

PublishedJan 23

Latest updateMay 14

Description

The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/cakephp< cakephp 2.8.3-1 (bullseye)

▶Packagistcakephp/cakephp1.2.0 — 2.6.13+5

▶Debiancakephp/cakephp< 2.8.3-1

▶NVDcakephp/cakephp3.2.4

▶citrixcitrix/sd-wan

Patches

Patch: bakery.cakephp.org ↗Patch: bakery.cakephp.org ↗

🔴Vulnerability Details

GHSA

CakePHP allows remote attackers to spoof their IP↗2022-05-14

▶

OSV

CakePHP allows remote attackers to spoof their IP↗2022-05-14

▶

OSV

CVE-2016-4793: The clientIp function in CakePHP 3↗2017-01-23

▶

💥Exploits & PoCs

Exploit-DB

CakePHP Framework 3.2.4 - IP Spoofing↗2016-05-16

▶

📋Vendor Advisories

Debian

CVE-2016-4793: cakephp - The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to sp...↗2016

▶

Citrix

Citrix SD-WAN Multiple Security Updates↗

▶