Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03NTI4LTdqZzUtNmc2Ms0l_g

Cross-site Scripting Vulnerability in CodeIgniter4

Impact

Cross-Site Scripting (XSS) vulnerability was found in API\ResponseTrait in Codeigniter4.
Attackers can do XSS attacks if you are using API\ResponseTrait.

Patches

Upgrade to v4.1.8 or later.

Workarounds

Do one of the following:

Do not use API\ResponseTrait nor ResourceController
Disable Auto Route and Use Defined Routes Only

References

Cross Site Scripting (XSS) Software Attack | OWASP Foundation

For more information

If you have any questions or comments about this advisory:

Open an issue in codeigniter4/CodeIgniter4
Email us at SECURITY.md

Permalink: https://github.com/advisories/GHSA-7528-7jg5-6g62
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NTI4LTdqZzUtNmc2Ms0l_g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 3 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-7528-7jg5-6g62, CVE-2022-21715
References:

Repository: https://github.com/codeigniter4/CodeIgniter4
Blast Radius: 18.0

Affected Packages

packagist:codeigniter4/framework

Dependent packages: 239
Dependent repositories: 2,160
Downloads: 1,915,433 total
Affected Version Ranges: < 4.1.8
Fixed in: 4.1.8
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7
All unaffected versions: 4.1.8, 4.1.9, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.5.0, 4.5.1