CVE-2022-21715

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in API\ResponseTrait in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using API\ResponseTrait. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using API\ResponseTrait or ResourceController Users may also disable Auto Route and use defined routes only.

Published: Jan 24, 2022
Updated: May 9, 2024
CVE: CVE-2022-21715
GHSA: GHSA-7528-7jg5-6g62
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
codeigniter / codeigniter	4.0.0	4.1.8
codeigniter4 / framework	-	4.1.8

https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62

Vulnerability Database

CVE-2022-21715