SameSite may allow cross-site request forgery (CSRF) protection to be bypassed
CVE-2022-35943

5.9MEDIUM

Key Information:

Vendor

Codeigniter4

Status
Shield
Vendor
CVE Published:
12 August 2022

What is CVE-2022-35943?

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/) of the target site (e.g., http://example.com/). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection to 'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

shield > 4.3.2, > v1.0.0-beta.2

References

https://github.com/codeigniter4/shield/security/advisorie...
x_refsource_CONFIRM
https://codeigniter4.github.io/userguide/libraries/securi...
x_refsource_MISC
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.