Detections
Analytics

Debian DLA-566-1 : cakephp security update

high Nessus Plugin ID 92631

Language:

Synopsis

The remote Debian host is missing a security update.

Description

CakePHP, an open source web application framework for PHP, was vulnerable to SSRF (Server Side Request Forgery) attacks. Remote attacker can utilize it for at least DoS (Denial of Service) attacks, if the target application accepts XML as an input. It is caused by insecure design of Cake's Xml class.

For Debian 7 'Wheezy', these problems have been fixed in version 1.3.15-1+deb7u1.

We recommend that you upgrade your cakephp packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected cakephp, and cakephp-scripts packages.

See Also

https://lists.debian.org/debian-lts-announce/2016/07/msg00028.html

https://packages.debian.org/source/wheezy/cakephp

Plugin Details

Severity: High

ID: 92631

File Name: debian_DLA-566.nasl

Version: 2.3

Type: local

Agent: unix

Published: 8/1/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:cakephp, p-cpe:/a:debian:debian_linux:cakephp-scripts, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 7/28/2016