Skip to content

CakePHP 2.6.11 Released

Compare
Choose a tag to compare
@markstory markstory released this 07 Aug 02:04
· 29442 commits to 5.x since this release
2.6.11

The CakePHP core team is ready to announce the immediate availability of CakePHP 2.6.11. These releases contain important security updates for applications using prefix routing.

Security Issues

There are two issues that can impact the security of a CakePHP application:

  • Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.
  • Validation::compare() and Validation::range() would allow specifically crafted data past certain criteria.

We'd like to thank 'Kurita Takashi' for contacting us through our security issue process about the CsrfComponent issue. We recommend that all users of CakePHP upgrade to one of these releases as soon as possible. CakePHP 3.x is unaffected by the prefix routing issue.