From 187f12b2547a9a9e94bccf5591991414bf9ba574 Mon Sep 17 00:00:00 2001 From: Mark Story Date: Fri, 3 Jul 2026 18:04:47 -0400 Subject: [PATCH] Improve GHSA-hhpq-7wg4-36jm --- .../GHSA-hhpq-7wg4-36jm.json | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2026/06/GHSA-hhpq-7wg4-36jm/GHSA-hhpq-7wg4-36jm.json b/advisories/github-reviewed/2026/06/GHSA-hhpq-7wg4-36jm/GHSA-hhpq-7wg4-36jm.json index 6b2d617689a2b..55e55c9465aa9 100644 --- a/advisories/github-reviewed/2026/06/GHSA-hhpq-7wg4-36jm/GHSA-hhpq-7wg4-36jm.json +++ b/advisories/github-reviewed/2026/06/GHSA-hhpq-7wg4-36jm/GHSA-hhpq-7wg4-36jm.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-hhpq-7wg4-36jm", - "modified": "2026-06-17T18:52:09Z", + "modified": "2026-06-20T19:03:45Z", "published": "2026-06-17T18:52:09Z", "aliases": [ "CVE-2026-55590" ], "summary": "CakePHP Authentication: Open redirect weakness via backslash bypass", - "details": "### Impact\nThe `getLoginRedirect()` method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames.\n\n### Patches\n3.3.6 and 4.1.1 contain a fix for this issue.\n\n### Workarounds\nIf you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability.", + "details": "### Impact\nThe `getLoginRedirect()` method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames.\n\n### Patches\n2.11.1, 3.3.6 and 4.1.1 contain a fix for this issue.\n\n### Workarounds\nIf you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability.", "severity": [ { "type": "CVSS_V4", @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "3.0.0" }, { "fixed": "3.3.6" @@ -52,6 +52,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "Packagist", + "name": "cakephp/authentication" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.1" + } + ] + } + ] } ], "references": [