CVE-2020-15400
published 2020-06-30CVE-2020-15400: CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.45%
35.6th percentile
CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cakefoundation | cakephp | < 4.0.6 | 4.0.6 |
| cakephp | cakephp | >= 0 < 3.10.3 | 3.10.3 |
| cakephp | cakephp | >= 4.0.0 < 4.0.6 | 4.0.6 |
| debian | cakephp | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-Site Request Forgery in CakePHP
ghsa·2022-02-10
CVE-2020-15400 [MEDIUM] CWE-352 Cross-Site Request Forgery in CakePHP
Cross-Site Request Forgery in CakePHP
CakePHP before 4.0.6 and 3.10.3 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
OSV
Cross-Site Request Forgery in CakePHP
osv·2022-02-10
CVE-2020-15400 [MEDIUM] Cross-Site Request Forgery in CakePHP
Cross-Site Request Forgery in CakePHP
CakePHP before 4.0.6 and 3.10.3 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
OSV
CVE-2020-15400: CakePHP before 4
osv·2020-06-30·CVSS 4.3
CVE-2020-15400 [MEDIUM] CVE-2020-15400: CakePHP before 4
CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
Debian
CVE-2020-15400: cakephp - CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely ex...
vendor_debian·2020·CVSS 4.3
CVE-2020-15400 [MEDIUM] CVE-2020-15400: cakephp - CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely ex...
CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-30
Published