VulnerableCode Package Details - pkg:composer/codeigniter4/shield@1.0.0-beta.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-hdcm-szxg-7ucu Aliases: CVE-2023-27580 GHSA-c5vj-f36q-p9vg	CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds.	1.0.0-beta.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ksav-p5du-duep Aliases: CVE-2023-48708 GHSA-j72f-h752-mx4w GMS-2023-4599		1.0.0-beta.8 Affected by 0 other vulnerabilities.
VCID-pmr7-5sk2-dyat Aliases: CVE-2023-48707 GHSA-v427-c49j-8w6x GMS-2023-4600		1.0.0-beta.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hdcm-szxg-7ucu
Aliases:
CVE-2023-27580
GHSA-c5vj-f36q-p9vg

CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds.

1.0.0-beta.4
Affected by 2 other vulnerabilities.

VCID-ksav-p5du-duep
Aliases:
CVE-2023-48708
GHSA-j72f-h752-mx4w
GMS-2023-4599

1.0.0-beta.8
Affected by 0 other vulnerabilities.

VCID-pmr7-5sk2-dyat
Aliases:
CVE-2023-48707
GHSA-v427-c49j-8w6x
GMS-2023-4600

1.0.0-beta.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dbng-2m6j-1uha	Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)	CVE-2022-35943 GHSA-5hm8-vh6r-2cjq

Vulnerability

Summary

Aliases

VCID-dbng-2m6j-1uha

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

CVE-2022-35943
GHSA-5hm8-vh6r-2cjq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:11:47.767710+00:00	GitLab Importer	Affected by	VCID-ksav-p5du-duep	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter4/shield/GMS-2023-4599.yml	38.6.0
2026-06-12T19:11:46.872080+00:00	GitLab Importer	Affected by	VCID-pmr7-5sk2-dyat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter4/shield/GMS-2023-4600.yml	38.6.0
2026-06-12T18:49:06.694422+00:00	GitLab Importer	Affected by	VCID-hdcm-szxg-7ucu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter4/shield/CVE-2023-27580.yml	38.6.0
2026-06-12T18:29:54.915525+00:00	GitLab Importer	Fixing	VCID-dbng-2m6j-1uha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/codeigniter4/shield/CVE-2022-35943.yml	38.6.0
2026-06-12T08:16:30.531753+00:00	GithubOSV Importer	Fixing	VCID-dbng-2m6j-1uha	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-5hm8-vh6r-2cjq/GHSA-5hm8-vh6r-2cjq.json	38.6.0
2026-06-11T20:32:03.246639+00:00	GHSA Importer	Fixing	VCID-dbng-2m6j-1uha	https://github.com/advisories/GHSA-5hm8-vh6r-2cjq	38.6.0