GSA_kwCzR0hTQS1nNDM0LTNxMmotaGo0cs4AAWhd

Critical CVSS: 9.8 EPSS: 0.00242% (0.47516 Percentile) EPSS:

Permalink JSON

CodeIgniter Session Fixation Vulnerability

Affected Packages	Affected Versions	Fixed Versions
packagist:codeigniter/framework	< 3.1.10	3.1.10
69 Dependent packages 509 Dependent repositories 2,281,301 Downloads total Affected Version Ranges All affected versions 3.0.0, 3.0.1, 3.0.1rc, 3.0.1rc2, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9 All unaffected versions 3.1.10, 3.1.11, 3.1.12, 3.1.13

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

8 other packages share this repository

Package	Ecosystem	Latest Version
bcit-ci/codeigniter	packagist	3.1.13
github.com/bcit-ci/codeigniter	go	v2.1.0+incompatible
ellislab/codeigniter	packagist
ci_framework	bower
codeigniter2	bower
ci	bower
codeigniter3	bower
github.com/bcit-ci/CodeIgniter	go	v2.1.0+incompatible

A Session Fixation issue exists in CodeIgniter before 3.1.10 because session.use_strict_mode in the Session Library was mishandled.

References:

Identifiers

GHSA-g434-3q2j-hj4r

CVE-2018-12071

Risk

Severity

Critical

CVSS

CVSS Score: 9.8

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

EPSS Percentage: 0.00242

EPSS Percentile: 0.47516

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/bcit-ci/CodeIgniter
View on Ecosyste.ms

Date and time

Published

about 4 years ago

Updated

18 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories