GHSA-j9q2-f9q7-jhgq: 
PHP vulnerability analysis and mitigation

The SecurityComponent cross form submission issue (GHSA-j9q2-f9q7-jhgq) affected CakePHP versions 2.0.0 to 2.4.8 and 1.3.0 to 1.3.18. The vulnerability was discovered and disclosed on April 29, 2014, affecting the SecurityComponent functionality in CakePHP framework. The issue was patched in versions 2.4.8 and 1.3.18 (CakePHP Blog, GitHub Advisory).

Prior to the patched versions, forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponent's tampering protection. The vulnerability stemmed from the form hash generation process not including the form's action URL, which allowed cross-action form submissions. The fix involved modifying the hash generation to include the form's action URL as part of the security hash calculation (CakePHP Commit).

If an application contained multiple POST forms to manipulate the same models, it could be vulnerable to mass assignment issues. This vulnerability could potentially violate developers' mental model of how SecurityComponent works and produce unexpected or undesirable outcomes (GitHub Advisory).

The issue was fixed in CakePHP versions 2.4.8 and 1.3.18. Users should upgrade to these or later versions to receive the security fix. The patch includes the form's action URL in the generated security hash, preventing cross-action form submissions (CakePHP Blog).