Search for packages
| purl | pkg:composer/codeigniter/framework@3.0.1rc |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1cv5-c88f-ebdt
Aliases: GMS-2015-40 |
XSS vulnerability There's an XSS attack vector in Security Library method `xss_clean()`. |
Affected by 18 other vulnerabilities. |
|
VCID-1euz-ns2t-43be
Aliases: GHSA-q9j3-4ghj-6h57 |
Inadequate XSS Prevention in CodeIgniter/Framework Security Library |
Affected by 18 other vulnerabilities. |
|
VCID-1znc-1bss-pkaj
Aliases: CVE-2023-46240 GHSA-hwxf-qxj7-7rfj |
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`. | There are no reported fixed by versions. |
|
VCID-231k-qhpa-nbaa
Aliases: CVE-2022-40830 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php where_not_in() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-3y4t-drup-7bff
Aliases: CVE-2022-40824 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php or_where() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-41bw-mjye-v3fb
Aliases: GMS-2015-65 |
Cross-site Scripting XSS attack vector in Security Library method `xss_clean()`. |
Affected by 18 other vulnerabilities. |
|
VCID-4n8d-t3h7-3uhp
Aliases: CVE-2022-40828 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php or_where_not_in() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-76nu-w1zz-m7f5
Aliases: CVE-2018-12071 GHSA-g434-3q2j-hj4r |
Affected by 15 other vulnerabilities. |
|
|
VCID-cf3d-xyya-q3hn
Aliases: CVE-2022-40826 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php or_having() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-cunj-m81q-cben
Aliases: GMS-2016-55 |
Critical SQL injection bug in the ODBC database driver There's a critical SQL injection bug in the ODBC database driver. |
Affected by 16 other vulnerabilities. |
|
VCID-dbng-2m6j-1uha
Aliases: CVE-2022-35943 GHSA-5hm8-vh6r-2cjq |
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match) | There are no reported fixed by versions. |
|
VCID-dq2u-p7ju-6yfd
Aliases: CVE-2023-32692 GHSA-m6m8-6gq8-c9fj GMS-2023-1562 |
CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5. |
Affected by 0 other vulnerabilities. |
|
VCID-ek73-5du4-cyfk
Aliases: GMS-2016-130 |
SQL Injection Critical SQL injection bug in the ODBC database driver. |
Affected by 16 other vulnerabilities. |
|
VCID-eyc5-b6j3-y7hp
Aliases: CVE-2022-40827 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php where() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-nhqd-xnc3-4ud7
Aliases: CVE-2022-40831 |
There are no reported fixed by versions. | |
|
VCID-ppr6-6ade-qket
Aliases: CVE-2022-40835 |
There are no reported fixed by versions. | |
|
VCID-sh3e-qf4u-4uh1
Aliases: CVE-2022-40832 |
There are no reported fixed by versions. | |
|
VCID-tgf3-jb23-8qf4
Aliases: CVE-2022-40829 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php or_like() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-u5z4-jmsw-1ydx
Aliases: CVE-2022-40825 |
There are no reported fixed by versions. | |
|
VCID-vsj9-ajwc-t7b3
Aliases: CVE-2022-40833 |
B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via system\database\DB_query_builder.php or_where_in() function. Note: Multiple third parties have disputed this as not a valid vulnerability. | There are no reported fixed by versions. |
|
VCID-ykmc-6svu-nkhk
Aliases: CVE-2022-40834 |
There are no reported fixed by versions. | |
|
VCID-ypn2-2ubu-pfhn
Aliases: GHSA-27qr-636m-wxg2 |
codeigniter/framework SQL injection in ODBC database driver |
Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||