Description

CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by dispatcher.php and certain other files.

Remediation

References

CVE-2011-3712

Related Vulnerabilities

WordPress Plugin Vertical SlideShow Arbitrary File Upload (2.3)

Oracle JRE CVE-2022-21360 Vulnerability (CVE-2022-21360)

Nexus Repository Manager Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Vulnerability (CVE-2018-16621)

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark SQL Injection (2.8.6)

Magento XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2021-21025)

Severity

Medium

Classification

CVE-2011-3712 CWE-200

Tags

Missing Update Known Vulnerabilities