Kenjis

**Name of the Vulnerable Software and Affected Versions** CodeIgniter Shield versions prior to 1.0.0-beta.8 **Description** The `secretKey` value, an important key for HMAC SHA256 authentication, was stored in the database in cleartext form. If a malicious person had access to the database data, they could use the key and `secretKey` for HMAC SHA256 authentication to send requests impersonating a user. **Recommendations** For versions prior to 1.0.0-beta.8, upgrade to Shield v1.0.0-beta.8 or later. After upgrading, all existing `secretKey` values must be encrypted.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter Shield versions prior to 1.0.0-beta.8 **Description** CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. In affected versions, successful login attempts are recorded with the raw tokens stored in the log table. If a malicious person views the data in the log table, they can obtain a raw token, which can then be used to send a request with that user's authority. This issue affects users of `tokens`, `jwt`, and `hmac` authenticators when logging successful login attempts. **Recommendations** For versions prior to 1.0.0-beta.8, upgrade to Shield v1.0.0-beta.8 or later. As a temporary workaround, disable logging for successful login attempts by setting `ConfigAuthToken::$recordLoginAttempt` to `Auth::RECORD LOGIN ATTEMPT FAILURE` or `Auth::RECORD LOGIN ATTEMPT NONE` for AccessTokens or HmacSha256, and `ConfigAuthJWT::$recordLoginAttempt` to `Auth::RECORD LOGIN ATTEMPT FAILURE` or `Auth::RECORD LOGIN ATTEMPT NONE` for JWT.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 4.3.5 **Description** This issue allows attackers to execute arbitrary code when using Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also affected because they use the Validation library internally. **Recommendations** For versions prior to 4.3.5, upgrade to version 4.3.5 or later. As a temporary workaround, consider setting validation rules with an array to minimize the risk of exploitation. For example, use `$validation->setRules(['email' => ['required','valid email, 'is unique[users.email,id,{id}]']])` to set validation rules.

**Nome do software vulnerável e versões afetadas** Versões do CodeIgniter4 anteriores à 4.1.8 **Descrição** Foi detectada uma vulnerabilidade de script entre sites (XSS) no `APIResponseTrait` do CodeIgniter4. Os invasores podem realizar ataques XSS se uma vítima em potencial estiver utilizando o `APIResponseTrait`. **Recomendações** Para versões anteriores à 4.1.8, atualize para a versão 4.1.8 ou posterior. Como solução temporária, considere evitar o uso de `APIResponseTrait` ou `ResourceController`. Como alternativa, desative o Auto Route e use apenas rotas definidas.