CVE-2022-21715 Information

Jun 07, 2022 cve

Description

CodeIgniter4 is the 4.x branch of CodeIgniter a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in API\ResponseTrait in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using API\ResponseTrait. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using API\ResponseTrait or ResourceController Users may also disable Auto Route and use defined routes only.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: