VYPR
Moderate severityNVD Advisory· Published Aug 12, 2022· Updated Apr 22, 2025

SameSite may allow cross-site request forgery (CSRF) protection to be bypassed

CVE-2022-35943

Description

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/) of the target site (e.g., http://example.com/). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection to 'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
codeigniter4/shieldPackagist
>= 1.0.0-beta, < 1.0.0-beta.21.0.0-beta.2

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.