{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-07-01T01:00:30.413","vulnerabilities":[{"cve":{"id":"CVE-2022-35943","sourceIdentifier":"security-advisories@github.com","published":"2022-08-12T21:15:07.803","lastModified":"2026-06-17T04:52:34.443","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)"},{"lang":"es","value":"Shield es un marco de autenticación y autorización para CodeIgniter 4. Esta vulnerabilidad puede permitir a [Atacantes del Mismo Sitio](https://canitakeyoursubdomain.name/) omitir el mecanismo de [protección CSRF de CodeIgniter4](https://codeigniter4.github.io/userguide/libraries/security.html) con CodeIgniter Shield. Para que este ataque tenga éxito, el atacante debe tener control directo (o indirecto, por ejemplo, de tipo XSS) sobre un sitio subdominio (por ejemplo, \"https://a.example.com/\") del sitio objetivo (por ejemplo, \"http://example.com/\"). Actualice a **CodeIgniter versiones v4.2.3 o posteriores** y **Shield versiones v1.0.0-beta.2 o posteriores**. Como mitigación: establezca \"Config\\Security::$csrfProtection\" como \"\"sesión,\"\"elimine los datos de la sesión antigua justo después del inicio de sesión (inmediatamente después de que el ID y la contraseña coincidan) y regenere el token CSRF justo después del inicio de sesión (inmediatamente después de que el ID y la contraseña coincidan)"}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"codeigniter4","product":"shield","versions":[{"version":"> 4.3.2, > v1.0.0-beta.2","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-04-22T15:45:07.423965Z","id":"CVE-2022-35943","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*","versionEndExcluding":"4.2.3","matchCriteriaId":"FBF0023B-014D-4BB0-A3C9-9A73D58C0C15"},{"vulnerable":true,"criteria":"cpe:2.3:a:codeigniter:shield:1.0.0:beta:*:*:*:*:*:*","matchCriteriaId":"B1E3F1E0-C2D7-4EC5-AD04-AEB414A3D71C"}]}]}],"references":[{"url":"https://codeigniter4.github.io/userguide/libraries/security.htm","source":"security-advisories@github.com","tags":["Broken Link"]},{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Third Party Advisory"]},{"url":"https://jub0bs.com/posts/2021-01-29-great-samesite-confusion","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://codeigniter4.github.io/userguide/libraries/security.htm","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"]},{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mitigation","Third Party Advisory"]},{"url":"https://jub0bs.com/posts/2021-01-29-great-samesite-confusion","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}