Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53180?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53180?format=api", "purl": "pkg:composer/codeigniter4/framework@4.0.0", "type": "composer", "namespace": "codeigniter4", "name": "framework", "version": "4.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.1.6", "latest_non_vulnerable_version": "4.4.7", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42541?format=api", "vulnerability_id": "VCID-283r-1kb4-9kew", "summary": "Improper Input Validation\nCodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/commit/202f41ad522ba1d414b9d9c35aba1cb0c156b781", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/202f41ad522ba1d414b9d9c35aba1cb0c156b781" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24711", "reference_id": "CVE-2022-24711", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24711" }, { "reference_url": "https://github.com/advisories/GHSA-xjp4-6w75-qrj7", "reference_id": "GHSA-xjp4-6w75-qrj7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xjp4-6w75-qrj7" }, { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7", "reference_id": "GHSA-xjp4-6w75-qrj7", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60818?format=api", "purl": "pkg:composer/codeigniter4/framework@4.1.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.1.9" } ], "aliases": [ "CVE-2022-24711", "GHSA-xjp4-6w75-qrj7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-283r-1kb4-9kew" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41947?format=api", "vulnerability_id": "VCID-3jm3-513z-p7ed", "summary": "CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.", "references": [ { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21647", "reference_id": "CVE-2022-21647", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21647" }, { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x", "reference_id": "GHSA-w6jr-wj64-mc9x", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59945?format=api", "purl": "pkg:composer/codeigniter4/framework@4.1.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.1.6" } ], "aliases": [ "CVE-2022-21647", "GHSA-w6jr-wj64-mc9x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3jm3-513z-p7ed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42540?format=api", "vulnerability_id": "VCID-fpsw-s5r4-5uhe", "summary": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF protection may be bypassed. If auto-routing is enabled, check the request method in the controller method before processing. If auto-routing is disabled, either avoid using `$routes->add()` and instead use HTTP verbs in routes; or check the request method in the controller method before processing.", "references": [ { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24712", "reference_id": "CVE-2022-24712", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24712" }, { "reference_url": "https://github.com/advisories/GHSA-4v37-24gm-h554", "reference_id": "GHSA-4v37-24gm-h554", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4v37-24gm-h554" }, { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554", "reference_id": "GHSA-4v37-24gm-h554", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60818?format=api", "purl": "pkg:composer/codeigniter4/framework@4.1.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.1.9" } ], "aliases": [ "CVE-2022-24712", "GHSA-4v37-24gm-h554" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fpsw-s5r4-5uhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42171?format=api", "vulnerability_id": "VCID-pskc-ec8x-wyc2", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCodeIgniter4 is the branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.", "references": [ { "reference_url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "reference_id": "", "reference_type": "", "scores": [], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only" }, { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21715", "reference_id": "CVE-2022-21715", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21715" }, { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "reference_id": "GHSA-7528-7jg5-6g62", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60263?format=api", "purl": "pkg:composer/codeigniter4/framework@4.1.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.1.8" } ], "aliases": [ "CVE-2022-21715", "GHSA-7528-7jg5-6g62" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pskc-ec8x-wyc2" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42867?format=api", "vulnerability_id": "VCID-fvpd-px29-47hf", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nBootstrap v3.1.11 and v3.3.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the Title parameter in /vendor/views/add_product.php.", "references": [ { "reference_url": "https://drive.google.com/file/d/1Dp0dD9PNcwamjRi0ldD0hUOEivu48SR6/view?usp=sharing", "reference_id": "", "reference_type": "", "scores": [], "url": "https://drive.google.com/file/d/1Dp0dD9PNcwamjRi0ldD0hUOEivu48SR6/view?usp=sharing" }, { "reference_url": "https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/blob/master/application/modules/vendor/views/add_product.php#L35", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/blob/master/application/modules/vendor/views/add_product.php#L35" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26624", "reference_id": "CVE-2022-26624", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26624" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53180?format=api", "purl": "pkg:composer/codeigniter4/framework@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-283r-1kb4-9kew" }, { "vulnerability": "VCID-3jm3-513z-p7ed" }, { "vulnerability": "VCID-fpsw-s5r4-5uhe" }, { "vulnerability": "VCID-pskc-ec8x-wyc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.0.0" } ], "aliases": [ "CVE-2022-26624" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fvpd-px29-47hf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39981?format=api", "vulnerability_id": "VCID-s814-tdxe-1baf", "summary": "A Session Fixation issue exists in CodeIgniter because `session.use_strict_mode` in the Session Library was mishandled.", "references": [ { "reference_url": "https://github.com/bcit-ci/CodeIgniter", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/bcit-ci/CodeIgniter" }, { "reference_url": "https://github.com/bcit-ci/CodeIgniter/commit/800a20d6c4662d99ae0988b2f8f2238bb8bb29db", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/bcit-ci/CodeIgniter/commit/800a20d6c4662d99ae0988b2f8f2238bb8bb29db" }, { "reference_url": "https://github.com/bcit-ci/CodeIgniter/commit/a9da3dd2f16a8f97d7bc4ff5572b28e4bb84c813#diff-32788a4d3748e8818044886ab43241179c7f5f5b82e979e73146669ca6e2da1cR306", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/bcit-ci/CodeIgniter/commit/a9da3dd2f16a8f97d7bc4ff5572b28e4bb84c813#diff-32788a4d3748e8818044886ab43241179c7f5f5b82e979e73146669ca6e2da1cR306" }, { "reference_url": "https://github.com/bcit-ci/CodeIgniter/issues/5958", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/bcit-ci/CodeIgniter/issues/5958" }, { "reference_url": "https://web.archive.org/web/20181115214804/https://www.codeigniter.com/user_guide/changelog.html#version-3-1-9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20181115214804/https://www.codeigniter.com/user_guide/changelog.html#version-3-1-9" }, { "reference_url": "https://www.codeigniter.com/user_guide/changelog.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.codeigniter.com/user_guide/changelog.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12071", "reference_id": "CVE-2018-12071", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12071" }, { "reference_url": "https://github.com/advisories/GHSA-g434-3q2j-hj4r", "reference_id": "GHSA-g434-3q2j-hj4r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g434-3q2j-hj4r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53180?format=api", "purl": "pkg:composer/codeigniter4/framework@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-283r-1kb4-9kew" }, { "vulnerability": "VCID-3jm3-513z-p7ed" }, { "vulnerability": "VCID-fpsw-s5r4-5uhe" }, { "vulnerability": "VCID-pskc-ec8x-wyc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.0.0" } ], "aliases": [ "CVE-2018-12071", "GHSA-g434-3q2j-hj4r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s814-tdxe-1baf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38442?format=api", "vulnerability_id": "VCID-xueg-x3e8-bqak", "summary": "Injection Vulnerability\n`system/libraries/Email.php` in CodeIgniter allows remote attackers to execute arbitrary code by leveraging control over the `email->from` field to insert sendmail command-line arguments.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10131", "reference_id": "CVE-2016-10131", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10131" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53180?format=api", "purl": "pkg:composer/codeigniter4/framework@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-283r-1kb4-9kew" }, { "vulnerability": "VCID-3jm3-513z-p7ed" }, { "vulnerability": "VCID-fpsw-s5r4-5uhe" }, { "vulnerability": "VCID-pskc-ec8x-wyc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.0.0" } ], "aliases": [ "CVE-2016-10131" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xueg-x3e8-bqak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39167?format=api", "vulnerability_id": "VCID-xwf7-ef5d-yffc", "summary": "Improper Input Validation\nBritish Columbia Institute of Technology CodeIgniter is vulnerable to HTTP Header Injection in the `set_status_header()` common function under Apache resulting in HTTP Header Injection flaws.", "references": [ { "reference_url": "https://www.codeigniter.com/userguide3/changelog.html#version-3-1-4", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.codeigniter.com/userguide3/changelog.html#version-3-1-4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000247", "reference_id": "CVE-2017-1000247", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000247" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53180?format=api", "purl": "pkg:composer/codeigniter4/framework@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-283r-1kb4-9kew" }, { "vulnerability": "VCID-3jm3-513z-p7ed" }, { "vulnerability": "VCID-fpsw-s5r4-5uhe" }, { "vulnerability": "VCID-pskc-ec8x-wyc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.0.0" } ], "aliases": [ "CVE-2017-1000247" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xwf7-ef5d-yffc" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.0.0" }