GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP

GHSA-j5vv-6wjg-cfr8: changedetection.io Vulnerable to Improper Input Validation Leading to LFR/Path Traversal

GHSA-qx95-cwh6-9mvq: TCPDF missing character escape on error messages

GHSA-w95c-7994-ghpr: TCPDF has incorrect comparison

GHSA-4p8j-vhjm-6pvw: TCPDF lacks SVG sanitization

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters.

**Package**

composer cakephp/cakephp (Composer)

**Affected versions**

\>= 2.0.0, < 2.0.99

\>= 2.1.0, < 2.1.99

\>= 2.2.0, < 2.2.99

\>= 2.3.0, < 2.3.99

\>= 2.4.0, < 2.4.99

\>= 2.5.0, < 2.5.9

\>= 2.6.0, < 2.6.11

\>= 2.7.0, < 2.7.2

**Patched versions**

2.0.99

2.1.99

2.2.99

2.3.99

2.4.99

2.5.9

2.6.11

2.7.2

Headline

GHSA-6hg4-vp5q-47mw: CakePHP allows direct access of prefixed controller actions

ghsa: Latest News