CVE-2022-39284 Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting $secure or $httponly value to true in Config\Cookie is not reflected in setcookie or Response::setCookie. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does...

CVE-2022-39284 Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting $secure or $httponly value to true in Config\Cookie is not reflected in setcookie or Response::setCookie. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does...

Cross-Site Request Forgery (CSRF)

codeigniter4/shield is vulnerable to cross-site request forgery. The vulnerability exists in the startLogin function of Session.php, allowing same site attackers to bypass the CSRF Protection mechanism and redirect to malicious urls such as https://a.example.com/ and http://example.com/ when the...

Remote Code Execution (RCE)

codeigniter4/framework is vulnerable to remote code execution. The vulnerability exists due to the improper input validation in the library, allowing an attacker to execute CLI routes via an HTTP request...

GHSA-4V37-24GM-H554 Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4

Impact This vulnerability might allow remote attackers to bypass the CodeIgniter4 CSRF protection mechanism. Patches Upgrade to v4.1.9 or later. Workarounds These are workarounds for this vulnerability, but you will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF...

Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4

Impact This vulnerability might allow remote attackers to bypass the CodeIgniter4 CSRF protection mechanism. Patches Upgrade to v4.1.9 or later. Workarounds These are workarounds for this vulnerability, but you will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF...

Remote CLI Command Execution Vulnerability in CodeIgniter4

Impact This vulnerability allows attackers to execute CLI routes via HTTP request. Patches Upgrade to v4.1.9 or later. Workarounds None. For more information If you have any questions or comments about this advisory: Open an issue in codeigniter4/CodeIgniter4 Email us at SECURITY.md...

GHSA-XJP4-6W75-QRJ7 Remote CLI Command Execution Vulnerability in CodeIgniter4

Impact This vulnerability allows attackers to execute CLI routes via HTTP request. Patches Upgrade to v4.1.9 or later. Workarounds None. For more information If you have any questions or comments about this advisory: Open an issue in codeigniter4/CodeIgniter4 Email us at SECURITY.md...

Cross-Site Request Forgery (CSRF)

codeigniter4/framework is vulnerable to cross-site request forgery. When auto-routing is enabled, the library checks the request method in the controller method before processing. When auto-routing is disabled, avoid using $routes-add and instead use HTTP verbs in routes, allowing an attacker to...

CVE-2022-24712

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery CSRF protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for...

CVE-2022-24711

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerabilit...

Input validation

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerabilit...

Cross site request forgery (csrf)

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery CSRF protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for...

CVE-2022-24712 Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery CSRF protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for...

CVE-2022-24712

CVE-2022-24712 affects CodeIgniter4 (4.x) prior to 4.1.9. The issue allows bypassing the CSRF protection mechanism, enabling potential unauthorized actions. Remediation: upgrade to CodeIgniter4 v4.1.9 or later. Workarounds exist (e.g., controller-method checks of request method or routing adjustm...

CVE-2022-24712 Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery CSRF protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for...

CVE-2022-24712 Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery CSRF protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for...

CVE-2022-24711 Remote CLI Command Execution Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerabilit...

CVE-2022-24711

CVE-2022-24711 affects CodeIgniter4 before 4.1.9. An improper input validation vulnerability allows an HTTP request to trigger CLI routes. A patch is provided in 4.1.9 (upgrade to 4.1.9 or later). Other sources (GHSA, OSV, Red Hat) corroborate the remote CLI execution vector and the upgrade remed...

CVE-2022-24711 Remote CLI Command Execution Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerabilit...