Vulnerability Description
CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codeigniter | Codeigniter | >= 4.0.0, < 4.1.8 |
Related Weaknesses (CWE)
References
- https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routeMitigationVendor Advisory
- https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2PatchThird Party Advisory
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-MitigationThird Party Advisory
- https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routeMitigationVendor Advisory
- https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2PatchThird Party Advisory
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-MitigationThird Party Advisory
FAQ
What is CVE-2022-21715?
CVE-2022-21715 is a vulnerability with a CVSS score of 5.4 (MEDIUM). CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attac...
How severe is CVE-2022-21715?
CVE-2022-21715 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21715?
Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter.