CVE-2023-22727: Critical SQLi Flaw Patched in CakePHP

The developers of CakePHP have patched a critical vulnerability that can be exploited by a remote attacker for SQL injection, a researcher wrote on Github advisories.

With millions of downloads, CakePHP is a rapid development framework for PHP which uses commonly known design patterns like Associative Data Mapping, Front Controller, and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility.

Tracked as CVE-2023-22727 (Github CVSS score of 9.8), CakePHP is vulnerable to SQL injection, caused by un-sanitized user request data in `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods. A remote attacker could send specially-crafted SQL statements to the system, which could allow the attacker to read or modify any data on the underlying database or elevate their privileges.

Researcher Markstory has not disclosed the technical details of the vulnerability.

The CVE-2023-22727 was patched by CakePHP developers on January 6 with the release of versions 4.2.12, 4.3.11, and 4.4.10. Version 4.2.0 prior to 4.2.12, version 4.3.0 prior to 4.3.11, and version 4.4.0 prior to 4.4.10 are affected.

Users are advised to upgrade to the latest version. Users unable to upgrade may mitigate this issue by using CakePHP’s Pagination library. Manually validating or casting parameters to these methods will also mitigate the bug.