GHSA-jwqp-wh5g-4gmm

Suggest an improvement
Source
https://github.com/advisories/GHSA-jwqp-wh5g-4gmm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jwqp-wh5g-4gmm/GHSA-jwqp-wh5g-4gmm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jwqp-wh5g-4gmm
Aliases
Published
2022-05-24T17:12:13Z
Modified
2024-04-24T18:11:46.181166Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CodeIgniter Improper Privilege Management
Details

CodeIgniter through 4.0.0 allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, nor any kind of login or user management facilities beyond a Session library. Also, another reporter indicates the issue is with a custom module/plugin to CodeIgniter, not CodeIgniter itself.

Database specific
{
    "nvd_published_at": "2020-03-23T15:15:00Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T17:49:09Z"
}
References

Affected packages

Packagist / codeigniter4/framework

Package

Name
codeigniter4/framework
Purl
pkg:composer/codeigniter4/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
4.0.0

Affected versions

v4.*

v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.3

4.*

4.0.0-rc.4
4.0.0