BIT-codeigniter-2022-35943

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/codeigniter/BIT-codeigniter-2022-35943.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-codeigniter-2022-35943

Aliases

Published

2024-03-06T10:53:45.787Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/) of the target site (e.g., http://example.com/). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection to 'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

Database specific

{
    "cpes": [
        "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / codeigniter

Package

Name: codeigniter
Purl: pkg:bitnami/codeigniter

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.3