GHSA-m6m8-6gq8-c9fj

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-m6m8-6gq8-c9fj/GHSA-m6m8-6gq8-c9fj.json
Aliases
  • CVE-2023-32692
Published
2023-05-22T19:49:11Z
Modified
2023-05-30T06:50:12.229726Z
Details

Impact

This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders.

The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally.

Patches

Upgrade to v4.3.5 or later.

Workarounds

Setting validation rules with an array.

E.g.:

$validation->setRules([
    'email' => ['required', 'valid_email, 'is_unique[users.email,id,{id}]'],
]);

References

  • https://codeigniter4.github.io/userguide/libraries/validation.html#validation-placeholders
  • https://codeigniter4.github.io/userguide/incoming/controllers.html#validating-data
  • https://codeigniter4.github.io/userguide/models/model.html#in-model-validation
References

Affected packages

Packagist / codeigniter4/framework

codeigniter4/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
4.3.5

Affected versions

4.*

4.0.0
4.0.0-rc.4

v4.*

v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.10
v4.2.11
v4.2.12
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4