GHSA-6hg4-vp5q-47mw: 
PHP vulnerability analysis and mitigation

A security vulnerability was identified in CakePHP versions 2.0.0 through 2.7.2, disclosed on August 6, 2015. The vulnerability allowed unconventional URL paths to directly access prefixed controller actions without setting the correct request parameters. This issue particularly affects applications using prefix routing for authorization purposes (GitHub Advisory, CakePHP Blog).

The vulnerability stems from a flaw in how CakePHP handles prefix routing, where manipulating URL path casing could bypass intended access controls. The issue was resolved by implementing case-insensitive prefix comparison and additional validation checks for prefixed actions (CakePHP Commit). The vulnerability is classified as moderate severity and affects multiple version ranges including 2.0.0-2.0.99, 2.1.0-2.1.99, 2.2.0-2.2.99, 2.3.0-2.3.99, 2.4.0-2.4.99, 2.5.0-2.5.9, 2.6.0-2.6.11, and 2.7.0-2.7.2 (GitHub Advisory).

The vulnerability could allow unauthorized access to prefixed controller actions in applications that rely on prefix routing for authorization. This could potentially lead to privilege escalation or unauthorized access to protected functionality (CakePHP Blog).

The issue was patched in versions 2.5.9, 2.6.11, and 2.7.2. Users are strongly recommended to upgrade to these patched versions or their respective latest releases. The fix involves proper handling of prefix routing and case-sensitive comparisons (CakePHP Blog).

The CakePHP core team acknowledged the security issue and credited Kurita Takashi for responsibly disclosing the vulnerability through their security issue process (CakePHP Release).