Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/42540?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42540?format=api", "vulnerability_id": "VCID-fpsw-s5r4-5uhe", "summary": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF protection may be bypassed. If auto-routing is enabled, check the request method in the controller method before processing. If auto-routing is disabled, either avoid using `$routes->add()` and instead use HTTP verbs in routes; or check the request method in the controller method before processing.", "aliases": [ { "alias": "CVE-2022-24712" }, { "alias": "GHSA-4v37-24gm-h554" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60818?format=api", "purl": "pkg:composer/codeigniter4/framework@4.1.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.1.9" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53180?format=api", "purl": "pkg:composer/codeigniter4/framework@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-283r-1kb4-9kew" }, { "vulnerability": "VCID-3jm3-513z-p7ed" }, { "vulnerability": "VCID-fpsw-s5r4-5uhe" }, { "vulnerability": "VCID-pskc-ec8x-wyc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/codeigniter4/framework@4.0.0" } ], "references": [ { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24712", "reference_id": "CVE-2022-24712", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24712" }, { "reference_url": "https://github.com/advisories/GHSA-4v37-24gm-h554", "reference_id": "GHSA-4v37-24gm-h554", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4v37-24gm-h554" }, { "reference_url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554", "reference_id": "GHSA-4v37-24gm-h554", "reference_type": "", "scores": [], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 352, "name": "Cross-Site Request Forgery (CSRF)", "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fpsw-s5r4-5uhe" }