-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from missing cookie presence validation in CsrfComponent's token verification. The pre-patch code only compared post/header tokens against the cookie value without first verifying the cookie existed. The fix added an explicit check for cookie presence (empty($cookie)) before proceeding with comparisons. This matches the advisory description of failing to invalidate requests missing both token types. The commit diff and added test cases (testInvalidTokenMissingCookie) confirm this was the vulnerable code path.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cakephp/cakephp | composer | >= 3.0.0, < 3.0.4 | 3.0.4 |
Ongoing coverage of React2Shell