Description Impact Deserialization of Untrusted Data was found in the old() function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Patches Upgrade to v4.1.6 or later. Workarounds Do not use: old() and form_helper RedirectResponse::withInput() and redirect()->withInput() References PHP Object Injection | OWASP For more information If you have any questions or comments about this advisory: Open an issue in codeigniter4/CodeIgniter4 Email us at SECURITY.md
CPE | Name | Operator | Version |
---|---|---|---|
codeigniter4/framework | lt | 4.1.6 |