Mgatner

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 4.2.11 **Description** This issue may allow attackers to spoof their IP address when the server is behind a reverse proxy. **Recommendations** For versions prior to 4.2.11, upgrade to version 4.2.11 or later, and configure `ConfigApp::$proxyIPs`. As a temporary workaround, do not use `$request->getIPAddress()`.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 4.2.11 **Description** The issue arises when an application uses multiple session cookies and a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`. If an attacker obtains one session cookie, they may be able to access pages that require another session cookie. **Recommendations** For versions prior to 4.2.11, upgrade to version 4.2.11 or later. As a temporary workaround, consider using only one session cookie until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 4.2.7 **Description** The issue arises when setting `$secure` or `$httponly` value to `true` in `ConfigCookie` is not reflected in `set cookie()` or `Response::setCookie()`, resulting in cookie values being erroneously exposed to scripts. This vulnerability does not affect session cookies. **Recommendations** For versions prior to 4.2.7, upgrade to v4.2.7 or later. As a temporary workaround, consider specifying the options explicitly by setting `'secure'` and `'httponly'` to `true` in the cookie array. Alternatively, construct Cookie objects to ensure secure cookie handling. For example, specify the options explicitly: ```php $cookie = [ 'name' => $name, 'value' => $value, 'secure' => true, 'httponly' => true, ]; set cookie($cookie); // or $this->response->setCookie($cookie); ``` Or use Cookie object: ```php use CodeIgniterCookieCookie; $cookie = new Cookie($name, $value); set cookie($cookie); // or $this->response->setCookie($cookie); ```

**Name of the Vulnerable Software and Affected Versions** CodeIgniter versions prior to 4.2.3 Shield versions prior to 1.0.0-beta.2 **Description** This issue may allow attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct or indirect control over a subdomain site of the target site. The attack is possible whether `ConfigSecurity::$csrfProtection` is set to `'cookie'` or `'session'`, and whether `ConfigSecurity::$regenerate` is `true` or `false`. **Recommendations** Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: - set `ConfigSecurity::$csrfProtection` to `'session'` - remove old session data right after login - regenerate CSRF token right after login

**Name of the Vulnerable Software and Affected Versions** CodeIgniter4 versions prior to 4.1.9 **Description** A vulnerability in CodeIgniter4 might allow remote attackers to bypass the Cross-Site Request Forgery (CSRF) protection mechanism. This issue can be exploited when auto-routing is enabled or disabled, potentially leading to unauthorized actions. To mitigate this, users can check the request method in the controller method before processing or use HTTP verbs in routes instead of `$routes->add()`. **Recommendations** For versions prior to 4.1.9, upgrade to version 4.1.9 or later. As a temporary workaround, consider checking the request method in the controller method before processing, for example: ```php if (strtolower($this->request->getMethod()) !== 'post') { return $this->response->setStatusCode(405)->setBody('Method Not Allowed'); } ``` When auto-routing is disabled, either avoid using `$routes->add()` and instead use HTTP verbs in routes, or check the request method in the controller method before processing.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter4 versions prior to 4.1.9 **Description** The issue allows attackers to execute CLI routes via HTTP request due to improper input validation. There are currently no known workarounds for this issue. **Recommendations** Upgrade to version 4.1.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter4 versions prior to 4.1.8 **Description** A cross-site scripting (XSS) issue was found in `APIResponseTrait` in CodeIgniter4. Attackers can perform XSS attacks if a potential victim is using `APIResponseTrait`. **Recommendations** For versions prior to 4.1.8, upgrade to version 4.1.8 or later. As a temporary workaround, consider avoiding the use of `APIResponseTrait` or `ResourceController`. Alternatively, disable Auto Route and use defined routes only.

**Name of the Vulnerable Software and Affected Versions** CodeIgniter4 versions prior to 4.1.6 **Description** Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. A working exploit is known to exist, which can lead to SQL injection. **Recommendations** Upgrade to v4.1.6 or later. As a temporary workaround, consider not using the `old()` function and form helper, nor `RedirectResponse::withInput()` and `redirect()->withInput()`.