Lucene search
OpenJS FoundationFRIENDSOFPHP:CODEIGNITER4HistoryJan 04, 2022 - 12:59 a.m.
CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4
2022-01-0400:59:31
OpenJS Foundation
github.com
13
0.1 Low
EPSS
Percentile
94.9%
Description Impact Deserialization of Untrusted Data was found in the old() function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Patches Upgrade to v4.1.6 or later. Workarounds Do not use: old() and form_helper RedirectResponse::withInput() and redirect()->withInput() References PHP Object Injection | OWASP For more information If you have any questions or comments about this advisory: Open an issue in codeigniter4/CodeIgniter4 Email us at SECURITY.md
| CPE | Name | Operator | Version |
|---|---|---|---|
| codeigniter4/framework | lt | 4.1.6 |
Related
cvelist
cvelist
CVE-2022-21647 Deserialization of Untrusted Data in Codeigniter4
2022-01-04 20:05:11
osv
osv
CVE-2022-21647
2022-01-04 20:15:07
Deserialization of Untrusted Data in Codeigniter4
2022-01-06 22:52:41
BIT-codeigniter-2022-21647
2024-03-06 10:54:39
friendsofphp
friendsofphp
CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4
2022-01-04 00:59:31
cve
cve
CVE-2022-21647
2022-01-04 20:15:07
prion
prion
Deserialization of untrusted data
2022-01-04 20:15:00
github
github
Deserialization of Untrusted Data in Codeigniter4
2022-01-06 22:52:41
veracode
veracode
SQL Injection
2022-01-05 05:02:53
cnvd
cnvd
CodeIgniter code issues vulnerabilities
2022-01-06 00:00:00
nvd
nvd
CVE-2022-21647
2022-01-04 20:15:07