Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dbng-2m6j-1uha
Vulnerability ID VCID-dbng-2m6j-1uha
Aliases CVE-2022-35943
GHSA-5hm8-vh6r-2cjq
Summary Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2022-35943
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2022-35943
cvssv3.1 5.9 https://codeigniter4.github.io/userguide/libraries/security.htm
generic_textual MODERATE https://codeigniter4.github.io/userguide/libraries/security.htm
ssvc Track https://codeigniter4.github.io/userguide/libraries/security.htm
cvssv3.1 5.9 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
generic_textual MODERATE https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
ssvc Track https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-5hm8-vh6r-2cjq
cvssv3.1 5.9 https://github.com/codeigniter4/shield
generic_textual MODERATE https://github.com/codeigniter4/shield
cvssv3.1 5.9 https://github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6
generic_textual MODERATE https://github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6
cvssv3.1 5.9 https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
cvssv3.1_qr MODERATE https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
generic_textual MODERATE https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
ssvc Track https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
cvssv3.1 5.9 https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
generic_textual MODERATE https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
ssvc Track https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2022-35943
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-35943
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-35943
https://github.com/codeigniter4/shield
https://github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6
2021-01-29-great-samesite-confusion https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
CVE-2022-35943 https://nvd.nist.gov/vuln/detail/CVE-2022-35943
GHSA-5hm8-vh6r-2cjq https://github.com/advisories/GHSA-5hm8-vh6r-2cjq
GHSA-5hm8-vh6r-2cjq https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
SameSite https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
security.htm https://codeigniter4.github.io/userguide/libraries/security.htm
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://codeigniter4.github.io/userguide/libraries/security.htm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:07Z/ Found at https://codeigniter4.github.io/userguide/libraries/security.htm
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:07Z/ Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/codeigniter4/shield
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:07Z/ Found at https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:07Z/ Found at https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-35943
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.35732
EPSS Score 0.00153
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:38:25.753943+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/35xxx/CVE-2022-35943.json 38.6.0