First published: Mon Oct 30 2023(Updated: )
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Codeigniter Codeigniter | <4.4.3 | |
composer/codeigniter4/framework | <=4.4.2 | 4.4.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment, potentially leaking confidential information.
Upgrade to CodeIgniter4 v4.4.3 or later.
You can find the upgrading guide for CodeIgniter4 on the official CodeIgniter4 documentation website.
Yes, you can find references for CVE-2023-46240 on the CodeIgniter4 GitHub page and the official CodeIgniter4 documentation website.
CWE-209 is a vulnerability related to information exposure through an error message.