CakePHP PaginatorHelper Limit Control Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the CakePHP PaginatorHelper's limitControl() method. This issue arises from unescaped HTML being outputted from request query string data, allowing for JavaScript injection through manipulated query parameters. The vulnerability affects CakePHP versions 5.2.10 prior to 5.2.12 and 5.3.0, and has been addressed in the 5.2.12 and 5.3.1 releases.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Reproduction

The vulnerability can be reproduced by using the PaginatorHelper::limitControl() method with a query string that includes unescaped HTML, such as a script tag. The injected JavaScript will be executed when the generated form is submitted.

Remediation

Users can upgrade to CakePHP 5.2.12 or 5.3.1 to address this vulnerability. If an immediate upgrade is not possible, it is recommended to avoid using the PaginatorHelper::limitControl() method until the upgrade can be performed.