| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| url |
VCID-fpcv-9quu-8fe2 |
| vulnerability_id |
VCID-fpcv-9quu-8fe2 |
| summary |
CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection
### Impact
This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield.
For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`).
This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`.
It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`.
### Patches
Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**.
### Workarounds
Do all of the following:
- set `Config\Security::$csrfProtection` to `'session'`
- remove old session data right after login (immediately after ID and password match)
- regenerate CSRF token right after login (immediately after ID and password match)
### References
- [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html)
- [SameSite Attacks](https://canitakeyoursubdomain.name/)
- [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
- [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/)
### For more information
If you have any questions or comments about this advisory:
* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)
* Email us at [security@codeigniter.com](mailto:security@codeigniter.com) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-35943 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00153 |
| scoring_system |
epss |
| scoring_elements |
0.35752 |
| published_at |
2026-06-06T12:55:00Z |
|
| 1 |
| value |
0.00153 |
| scoring_system |
epss |
| scoring_elements |
0.3567 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.00153 |
| scoring_system |
epss |
| scoring_elements |
0.35712 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00153 |
| scoring_system |
epss |
| scoring_elements |
0.3574 |
| published_at |
2026-06-05T12:55:00Z |
|
| 4 |
| value |
0.00153 |
| scoring_system |
epss |
| scoring_elements |
0.35637 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-35943 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-35943, GHSA-5hm8-vh6r-2cjq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fpcv-9quu-8fe2 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| url |
VCID-s6nh-cvkt-vygr |
| vulnerability_id |
VCID-s6nh-cvkt-vygr |
| summary |
Generation of Error Message Containing Sensitive Information
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-46240 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62662 |
| published_at |
2026-06-06T12:55:00Z |
|
| 1 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62637 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62652 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62653 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-46240 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-46240, GHSA-hwxf-qxj7-7rfj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s6nh-cvkt-vygr |
|
| 15 |
| url |
VCID-s814-tdxe-1baf |
| vulnerability_id |
VCID-s814-tdxe-1baf |
| summary |
A Session Fixation issue exists in CodeIgniter because `session.use_strict_mode` in the Session Library was mishandled. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-12071 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00242 |
| scoring_system |
epss |
| scoring_elements |
0.4767 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00242 |
| scoring_system |
epss |
| scoring_elements |
0.47688 |
| published_at |
2026-06-08T12:55:00Z |
|
| 2 |
| value |
0.00242 |
| scoring_system |
epss |
| scoring_elements |
0.47717 |
| published_at |
2026-06-07T12:55:00Z |
|
| 3 |
| value |
0.00242 |
| scoring_system |
epss |
| scoring_elements |
0.47735 |
| published_at |
2026-06-06T12:55:00Z |
|
| 4 |
| value |
0.00242 |
| scoring_system |
epss |
| scoring_elements |
0.47734 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-12071 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-12071, GHSA-g434-3q2j-hj4r
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s814-tdxe-1baf |
|