Lucene search

PRIOn knowledge basePRION:CVE-2022-39284

HistoryOct 06, 2022 - 8:15 p.m.

Code injection

2022-10-0620:15:00

PRIOn knowledge base

www.prio-n.com

codeigniter

php

v4.2.7

vulnerability

fix

workaround

nvd

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.1%

JSON

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie(). As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.

CPENameOperatorVersion
codeigniterge4.0.0
codeigniterlt4.2.7

CPE	Name	Operator	Version
	codeigniter	ge	4.0.0
	codeigniter	lt	4.2.7

References

codeigniter4.github.io/userguide/helpers/cookie_helper.html

codeigniter4.github.io/userguide/outgoing/response.html

developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

github.com/codeigniter4/CodeIgniter4/issues/6540

github.com/codeigniter4/CodeIgniter4/pull/6544

github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp