4 matches found
CVE-2022-35943
Summary: CVE-2022-35943 affects CodeIgniter Shield (CodeIgniter 4) and may allow SameSite attackers to bypass CSRF protection when they control a subdomain. The issue exists regardless of whether CSRF protection is cookie or session based, and regardless of regenerate setting. Affected software/c...
CVE-2023-27580
CodeIgniter Shield (for CodeIgniter 4) has a vulnerability in its password storage due to an improper implementation, making all hashed passwords stored in Shield v1.0.0-beta.3 or earlier easier to crack. A fix exists: upgrade to Shield v1.0.0-beta.4 or later. After upgrading, all users’ hashed p...
CVE-2023-48708
CodeIgniter Shield (for CodeIgniter 4) contains a vulnerability where successful login attempts can store raw tokens in the log table. If logs are viewed, an attacker could obtain a token and misuse user authority. The issue is fixed in Shield v1.0.0-beta.8; upgrade is advised. If upgrading isn’t...
CVE-2023-48707
The CVE-2023-48707 entry concerns CodeIgniter Shield (CodeIgniter 4) where the secretKey used for HMAC SHA256 authentication was stored in cleartext in the database in affected versions. This plaintext storage enables an attacker with DB access to misuse the secretKey to impersonate users via HMA...