Описание
Cross-site Scripting Vulnerability in CodeIgniter4
Impact
Cross-Site Scripting (XSS) vulnerability was found in API\ResponseTrait in Codeigniter4.
Attackers can do XSS attacks if you are using API\ResponseTrait.
Patches
Upgrade to v4.1.8 or later.
Workarounds
Do one of the following:
- Do not use
API\ResponseTraitnorResourceController - Disable Auto Route and Use Defined Routes Only
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
Ссылки
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62
- https://nvd.nist.gov/vuln/detail/CVE-2022-21715
- https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd
- https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
- https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-21715.yaml
Пакеты
codeigniter4/framework
< 4.1.8
4.1.8
Связанные уязвимости
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web fr ...