CakePHP SecurityComponent cross form submission issue

Published: Jan 20, 2023
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-j9q2-f9q7-jhgq" target="_blank" rel="noopener"> GHSA-j9q2-f9q7-jhgq
Severity: Medium
Exploit:

Prior to versions 2.4.8 and 1.3.18, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent’s tampering protection. If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues.