What is CVE-2022-35943?

CVE-2022-35943 is a vulnerability in the Shield authentication and authorization framework for CodeIgniter 4.

How does CVE-2022-35943 affect CodeIgniter 4?

CVE-2022-35943 allows SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism.

What is the severity of CVE-2022-35943?

CVE-2022-35943 has a severity rating of 8.8 (high).

How can I fix CVE-2022-35943?

To fix CVE-2022-35943, it is recommended to update to the latest version of CodeIgniter and Shield.

Where can I find more information about CVE-2022-35943?

You can find more information about CVE-2022-35943 in the CodeIgniter4 security advisories and the CVE database.

Vulnerability/
CVE-2022-35943

high

8.8

CWE

352 79

12/8/2022

3/8/2024

CVE-2022-35943: SameSite may allow cross-site request forgery (CSRF) protection to be bypassed

First published: Fri Aug 12 2022(Updated: )

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Codeigniter Codeigniter	<4.2.3
CodeIgniter Shield	=1.0.0-beta

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-35943?
CVE-2022-35943 is a vulnerability in the Shield authentication and authorization framework for CodeIgniter 4.
How does CVE-2022-35943 affect CodeIgniter 4?
CVE-2022-35943 allows SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism.
What is the severity of CVE-2022-35943?
CVE-2022-35943 has a severity rating of 8.8 (high).
How can I fix CVE-2022-35943?
To fix CVE-2022-35943, it is recommended to update to the latest version of CodeIgniter and Shield.
Where can I find more information about CVE-2022-35943?
You can find more information about CVE-2022-35943 in the CodeIgniter4 security advisories and the CVE database.

collector/nvd-index
agent/references
agent/weakness
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/author
agent/title
agent/severity
agent/tags
agent/first-publish-date
agent/event
agent/description
vendor/codeigniter
canonical/codeigniter codeigniter
canonical/codeigniter shield
version/codeigniter shield/1.0.0-beta

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.