QwikSec

Security Database

CVE

CWE

Training

CVE-2022-39284

Published: Oct 6, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

2.6

LOW

Description

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.

Vendor	Product	Versions
codeigniter4	CodeIgniter4	affected `< 4.2.7`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp

https://github.com/codeigniter4/CodeIgniter4/issues/6540

https://github.com/codeigniter4/CodeIgniter4/pull/6544

https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie

https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.