Search for packages
| purl | pkg:composer/codeigniter/framework@3.0.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2hsz-vuhe-dbak
Aliases: CVE-2022-40826 |
There are no reported fixed by versions. | |
|
VCID-2qzt-eskd-7qf4
Aliases: CVE-2022-40831 |
There are no reported fixed by versions. | |
|
VCID-3mhu-ddhm-5ke7
Aliases: CVE-2022-40830 |
There are no reported fixed by versions. | |
|
VCID-52pj-ryan-2yfj
Aliases: CVE-2022-40825 |
There are no reported fixed by versions. | |
|
VCID-74bw-u8nc-3qbz
Aliases: CVE-2022-40829 |
There are no reported fixed by versions. | |
|
VCID-7wzt-96yg-jfah
Aliases: CVE-2022-40828 |
There are no reported fixed by versions. | |
|
VCID-8wbz-we3g-x3ep
Aliases: GMS-2015-65 |
Cross-site Scripting XSS attack vector in Security Library method `xss_clean()`. |
Affected by 18 other vulnerabilities. |
|
VCID-9fmk-e4fz-2ybu
Aliases: CVE-2022-40832 |
There are no reported fixed by versions. | |
|
VCID-a6px-3qen-euct
Aliases: GMS-2016-55 |
Critical SQL injection bug in the ODBC database driver There's a critical SQL injection bug in the ODBC database driver. |
Affected by 16 other vulnerabilities. |
|
VCID-e2md-avz8-bya9
Aliases: CVE-2022-40827 |
There are no reported fixed by versions. | |
|
VCID-e4vu-fhp3-j3em
Aliases: CVE-2022-40834 |
There are no reported fixed by versions. | |
|
VCID-ebrh-16ww-3bhd
Aliases: GHSA-27qr-636m-wxg2 |
codeigniter/framework SQL injection in ODBC database driver CodeIgniter 3.1.0 addressed a critical security issue within the ODBC database driver. This update includes crucial fixes to mitigate a SQL injection vulnerability, preventing potential exploitation by attackers. It is noteworthy that these fixes render the query builder and escape() functions incompatible with the ODBC driver. However, the update introduces actual query binding as a more secure alternative. |
Affected by 16 other vulnerabilities. |
|
VCID-en5a-535z-ayca
Aliases: CVE-2022-40833 |
There are no reported fixed by versions. | |
|
VCID-fpcv-9quu-8fe2
Aliases: CVE-2022-35943 GHSA-5hm8-vh6r-2cjq |
CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection ### Impact This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`. It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`. ### Patches Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. ### Workarounds Do all of the following: - set `Config\Security::$csrfProtection` to `'session'` - remove old session data right after login (immediately after ID and password match) - regenerate CSRF token right after login (immediately after ID and password match) ### References - [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html) - [SameSite Attacks](https://canitakeyoursubdomain.name/) - [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) - [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/) ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com) | There are no reported fixed by versions. |
|
VCID-gnfx-qs26-ukdx
Aliases: CVE-2022-40835 |
There are no reported fixed by versions. | |
|
VCID-gubk-qp7e-h7f4
Aliases: GMS-2015-40 |
XSS vulnerability There's an XSS attack vector in Security Library method `xss_clean()`. |
Affected by 18 other vulnerabilities. |
|
VCID-jn5c-h7cd-skfq
Aliases: GHSA-q9j3-4ghj-6h57 |
Inadequate XSS Prevention in CodeIgniter/Framework Security Library The xss_clean() method in the Security Library of CodeIgniter/Framework, specifically in versions before 3.0.3, exhibited a vulnerability that allowed certain Cross-Site Scripting (XSS) vectors to bypass its intended protection mechanisms. The xss_clean() method is designed to sanitize input data by removing potentially malicious content, thus preventing XSS attacks. However, in versions prior to 3.0.3, it was discovered that the method did not adequately mitigate specific XSS vectors, leaving a potential security gap. |
Affected by 18 other vulnerabilities. |
|
VCID-p756-2jkm-9fc5
Aliases: CVE-2022-40824 |
There are no reported fixed by versions. | |
|
VCID-qdfk-n9gt-6yfp
Aliases: CVE-2023-32692 GHSA-m6m8-6gq8-c9fj GMS-2023-1562 |
Duplicate This advisory duplicates another. |
Affected by 0 other vulnerabilities. |
|
VCID-s6nh-cvkt-vygr
Aliases: CVE-2023-46240 GHSA-hwxf-qxj7-7rfj |
Generation of Error Message Containing Sensitive Information CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`. | There are no reported fixed by versions. |
|
VCID-s814-tdxe-1baf
Aliases: CVE-2018-12071 GHSA-g434-3q2j-hj4r |
A Session Fixation issue exists in CodeIgniter because `session.use_strict_mode` in the Session Library was mishandled. |
Affected by 15 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||