VulnerableCode Package Details - pkg:composer/codeigniter/framework@3.1.8

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/codeigniter/framework@3.1.8

Essentials
History (16)

purl	pkg:composer/codeigniter/framework@3.1.8

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.5

Vulnerabilities affecting this package (16)

Vulnerability	Summary	Fixed by
VCID-2hsz-vuhe-dbak Aliases: CVE-2022-40826		There are no reported fixed by versions.
VCID-2qzt-eskd-7qf4 Aliases: CVE-2022-40831		There are no reported fixed by versions.
VCID-3mhu-ddhm-5ke7 Aliases: CVE-2022-40830		There are no reported fixed by versions.
VCID-52pj-ryan-2yfj Aliases: CVE-2022-40825		There are no reported fixed by versions.
VCID-74bw-u8nc-3qbz Aliases: CVE-2022-40829		There are no reported fixed by versions.
VCID-7wzt-96yg-jfah Aliases: CVE-2022-40828		There are no reported fixed by versions.
VCID-9fmk-e4fz-2ybu Aliases: CVE-2022-40832		There are no reported fixed by versions.
VCID-e2md-avz8-bya9 Aliases: CVE-2022-40827		There are no reported fixed by versions.
VCID-e4vu-fhp3-j3em Aliases: CVE-2022-40834		There are no reported fixed by versions.
VCID-en5a-535z-ayca Aliases: CVE-2022-40833		There are no reported fixed by versions.
VCID-fpcv-9quu-8fe2 Aliases: CVE-2022-35943 GHSA-5hm8-vh6r-2cjq	CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection ### Impact This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`. It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`. ### Patches Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. ### Workarounds Do all of the following: - set `Config\Security::$csrfProtection` to `'session'` - remove old session data right after login (immediately after ID and password match) - regenerate CSRF token right after login (immediately after ID and password match) ### References - [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html) - [SameSite Attacks](https://canitakeyoursubdomain.name/) - [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) - [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/) ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com)	There are no reported fixed by versions.
VCID-gnfx-qs26-ukdx Aliases: CVE-2022-40835		There are no reported fixed by versions.
VCID-p756-2jkm-9fc5 Aliases: CVE-2022-40824		There are no reported fixed by versions.
VCID-qdfk-n9gt-6yfp Aliases: CVE-2023-32692 GHSA-m6m8-6gq8-c9fj GMS-2023-1562	Duplicate This advisory duplicates another.	4.3.5 Affected by 0 other vulnerabilities.
VCID-s6nh-cvkt-vygr Aliases: CVE-2023-46240 GHSA-hwxf-qxj7-7rfj	Generation of Error Message Containing Sensitive Information CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.	There are no reported fixed by versions.
VCID-s814-tdxe-1baf Aliases: CVE-2018-12071 GHSA-g434-3q2j-hj4r	A Session Fixation issue exists in CodeIgniter because `session.use_strict_mode` in the Session Library was mishandled.	3.1.10 Affected by 15 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:16:51.051712+00:00	GitLab Importer	Affected by	VCID-s6nh-cvkt-vygr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2023-46240.yml	38.6.0
2026-06-06T03:47:31.282984+00:00	GitLab Importer	Affected by	VCID-qdfk-n9gt-6yfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2023-32692.yml	38.6.0
2026-06-06T03:02:29.547989+00:00	GitLab Importer	Affected by	VCID-9fmk-e4fz-2ybu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40832.yml	38.6.0
2026-06-06T03:02:28.724137+00:00	GitLab Importer	Affected by	VCID-2hsz-vuhe-dbak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40826.yml	38.6.0
2026-06-06T03:02:27.164433+00:00	GitLab Importer	Affected by	VCID-3mhu-ddhm-5ke7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40830.yml	38.6.0
2026-06-06T03:02:26.501725+00:00	GitLab Importer	Affected by	VCID-en5a-535z-ayca	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40833.yml	38.6.0
2026-06-06T03:02:25.492241+00:00	GitLab Importer	Affected by	VCID-2qzt-eskd-7qf4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40831.yml	38.6.0
2026-06-06T03:02:24.830014+00:00	GitLab Importer	Affected by	VCID-e4vu-fhp3-j3em	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40834.yml	38.6.0
2026-06-06T03:02:24.167091+00:00	GitLab Importer	Affected by	VCID-7wzt-96yg-jfah	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40828.yml	38.6.0
2026-06-06T03:02:23.518057+00:00	GitLab Importer	Affected by	VCID-gnfx-qs26-ukdx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40835.yml	38.6.0
2026-06-06T03:02:20.838292+00:00	GitLab Importer	Affected by	VCID-52pj-ryan-2yfj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40825.yml	38.6.0
2026-06-06T03:02:19.474630+00:00	GitLab Importer	Affected by	VCID-74bw-u8nc-3qbz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40829.yml	38.6.0
2026-06-06T03:02:11.819949+00:00	GitLab Importer	Affected by	VCID-e2md-avz8-bya9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40827.yml	38.6.0
2026-06-06T03:02:11.167276+00:00	GitLab Importer	Affected by	VCID-p756-2jkm-9fc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-40824.yml	38.6.0
2026-06-06T02:45:17.245277+00:00	GitLab Importer	Affected by	VCID-fpcv-9quu-8fe2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2022-35943.yml	38.6.0
2026-06-06T01:58:27.872146+00:00	GitLab Importer	Affected by	VCID-s814-tdxe-1baf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter/framework/CVE-2018-12071.yml	38.6.0