14 DAY TRIAL // The Cake Software Foundation has recently released versions 1.2.12, 1.3.16, 2.2.8 and 2.3.4 of CakePHP. Customers who use the web application framework’s PaginatorComponent without whitelisted sort fields are advised to update as soon as possible because cybercriminals can exploit a vulnerability to launch SQL Injection attacks.
“CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4 have just been released to fix a critical issue with how pagination & PaginatorComponent handle sort criteria. When paginating without a sort column whitelist it was possible to execute arbitrary SQL by manipulating the sort conditions,” CakePHP’s Mark Story explained.
In the 2.2.8 version, there aren’t any other fixes besides the security fix. However, the other variants also address several functionality issues.
Additional details regarding the vulnerability and how it can be exploited by cybercriminals will be made available in the upcoming period. The developers want to make sure users have enough time to update their installations before publishing exploit information.
CakePHP is available for download here.