CVE-2020-15400

Description

CakePHP before 4.0.6 mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.

How to fix CVE-2020-15400

To remediate CVE-2020-15400, upgrade the affected package to a fixed version below.

• Debian/cakephp—no fix listed
• Packagist/cakephp/cakephp—upgrade to 4.0.6 or later

Is CVE-2020-15400 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0
• >= 4.0.0, < 4.0.6

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-15400
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-15400
• WEBbakery.cakephp.org/2020/04/18/cakephp_406_released.html
• WEBbakery.cakephp.org/2022/05/08/cakephp_3103_released.html