{ "schema_version": "1.4.0", "id": "GHSA-xwhj-pqcg-8rcr", "modified": "2023-01-20T23:35:17Z", "published": "2023-01-20T23:35:17Z", "aliases": [], "summary": "CakePHP vulnerable to Cross-site Scripting in some development error pages", "details": "CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting (XSS) vulnerability in the development only `missing route` and `duplicate named route` error pages.", "severity": [], "affected": [ { "package": { "ecosystem": "Packagist", "name": "cakephp/cakephp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.4.0" }, { "fixed": "3.4.14" } ] } ] }, { "package": { "ecosystem": "Packagist", "name": "cakephp/cakephp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.5.0" }, { "fixed": "3.5.17" } ] } ] }, { "package": { "ecosystem": "Packagist", "name": "cakephp/cakephp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.6.0" }, { "fixed": "3.6.4" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/cakephp/cakephp/commit/1ea0c87de729e0dcd53eb6fe3bc86ba739121d8e" }, { "type": "WEB", "url": "https://bakery.cakephp.org/2018/05/20/cakephp_364_3517_3414_released.html" }, { "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2018-05-20.yaml" }, { "type": "PACKAGE", "url": "https://github.com/cakephp/cakephp" } ], "database_specific": { "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-01-20T23:35:17Z", "nvd_published_at": null } }