CVE-2011-3712 — CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a dire

Description

CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a `.php` file, which reveals the installation path in an error message, as demonstrated by `dispatcher.php` and certain other files.

How to fix CVE-2011-3712

To remediate CVE-2011-3712, upgrade the affected package to a fixed version below.

Packagist/cakephp/cakephp—upgrade to 1.3.8 or later

Is CVE-2011-3712 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.3.7, < 1.3.8

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-3712
PATCHgithub.com/cakephp/cakephp
WEBcode.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README
WEBcode.google.com/p/inspathx/source/browse/trunk/paths_vuln/cakephp-1.3.7