CVE-2022-35943
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-35943
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35943.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-35943
- Aliases
- Published
- 2022-08-12T20:55:10Z
- Modified
- 2025-11-19T11:05:37.820574Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L CVSS Calculator
- Summary
- SameSite may allow cross-site request forgery (CSRF) protection to be bypassed
- Details
-
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g.,
https://a.example.com/) of the target site (e.g.,http://example.com/). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: setConfig\Security::$csrfProtectionto'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match) - Database specific
{ "cwe_ids": [ "CWE-352" ] }- References
Affected packages
Git / github.com/codeigniter4/codeigniter4
Affected ranges
- Type
- GIT
- Repo
- https://github.com/codeigniter4/codeigniter4
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
4.*
4.0.0
4.0.2
v4.*
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.2b
v4.0.0-rc.3
v4.0.0-rc.4
v4.0.0.0-alpha.5
v4.0.1
v4.0.3
v4.0.4
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.2