CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24712 – Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4
https://notcve.org/view.php?id=CVE-2022-24712
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A vulnerability in versions prior to 4.1.9 might allow remote attackers to bypass the CodeIgniter4 Cross-Site Request Forgery (CSRF) protection mechanism. Users should upgrade to version 4.1.9. There are workarounds for this vulnerability, but users will still need to code as these after upgrading to v4.1.9. Otherwise, the CSRF protection may be bypassed. • https://github.com/codeigniter4/CodeIgniter4/blob/7dc2ece32401ebde67122f7d2460efcaee7c352e/user_guide_src/source/changelogs/v4.1.9.rst https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24711 – Remote CLI Command Execution Vulnerability in CodeIgniter4
https://notcve.org/view.php?id=CVE-2022-24711
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerability. CodeIgniter4 es la rama 4.x de CodeIgniter, un framework web PHP full-stack. • https://github.com/codeigniter4/CodeIgniter4/commit/202f41ad522ba1d414b9d9c35aba1cb0c156b781 https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21715 – Cross-site Scripting Vulnerability in CodeIgniter4
https://notcve.org/view.php?id=CVE-2022-21715
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. • https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 0CVE-2022-21647 – Deserialization of Untrusted Data in Codeigniter4
https://notcve.org/view.php?id=CVE-2022-21647
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. • https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5 https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40975
https://notcve.org/view.php?id=CVE-2021-40975
Cross-site scripting (XSS) vulnerability in application/modules/admin/views/ecommerce/products.php in Ecommerce-CodeIgniter-Bootstrap (Codeigniter 3.1.11, Bootstrap 3.3.7) allows remote attackers to inject arbitrary web script or HTML via the search_title parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo application/modules/admin/views/ecommerce/products.php en Ecommerce-CodeIgniter-Bootstrap (Codeigniter versión 3.1.11, Bootstrap versión 3.3.7) permiten a atacantes remotos inyectar scripts web o HTML arbitrarios por medio del parámetro search_title • https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/blob/c546a716ba56e8e33b3a5def1c18a6d89c3608f5/application/modules/admin/views/ecommerce/products.php#L37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •