GitHub_MCVELIST:CVE-2022-35943CVE-2022-35943 SameSite may allow cross-site request forgery (CSRF) protection to be bypassed
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L
9.2 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
55.6%
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/) of the target site (e.g., http://example.com/). Upgrade to CodeIgniter v4.2.3 or later andShield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection to 'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)
CNA Affected
[
{
"product": "shield",
"vendor": "codeigniter4",
"versions": [
{
"status": "affected",
"version": "> 4.3.2, > v1.0.0-beta.2"
}
]
}
]Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L
9.2 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
55.6%