Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SameSite may allow cross-site request forgery (CSRF) protection to be bypassed
Vulnerability Description
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
CodeIgniter Shield 跨站请求伪造漏洞
Vulnerability Description
CodeIgniter Shield是CodeIgniter公司的CodeIgniter 4的身份验证和授权模块。 CodeIgniter Shield 存在跨站请求伪造漏洞。攻击者利用该漏洞绕过带有CodeIgniter护罩的机构。
CVSS Information
N/A
Vulnerability Type
N/A