High severityNVD Advisory· Published Jan 14, 2011· Updated Jun 16, 2026
CVE-2010-4335
CVE-2010-4335
Description
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cakephp/cakephpPackagist | >= 1.2.8, < 1.3.6 | 1.3.6 |
Affected products
15cpe:2.3:a:cakefoundation:cakephp:1.3.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:cakefoundation:cakephp:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.0:beta:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:cakephp:cakephp:1.3:dev:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
9- github.com/cakephp/cakephp/commit/e431e86aa4301ced4273dc7919b59362cbb353cbnvdPatchWEB
- malloc.im/CakePHP-unserialize.txtnvdExploitWEB
- packetstormsecurity.org/files/view/95847/burnedcake.py.txtnvdExploitWEB
- secunia.com/advisories/42211nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-g2vx-8v47-4vhhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-4335ghsaADVISORY
- securityreason.com/securityalert/8026nvdWEB
- www.exploit-db.com/exploits/16011nvdWEB
- www.osvdb.org/69352nvdWEB
News mentions
0No linked articles in our index yet.