@markstory markstory released this Mar 14, 2016 · 18959 commits to master since this release

Assets 2

The CakePHP core team is happy to announce the immediate availability of CakePHP 2.7.11. This release contains security fixes.

Security Fixes

These releases contain fixes for arbitrary address spoofing when using the clientIp() method of the request object. Previously, this method would use the HTTP_CLIENT_IP header which can be spoofed easily. If you are using this method as a source of trusted data we recommend you upgrade. We'd like to thank the independent security researcher Dawid Golunski for discovering this vulnerability in CakePHP which was reported to us by Beyond Security's SecuriTeam Secure Disclosure program.