CVE-2022-21715 - Vulnerability Details - OpenCVE

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Codeigniter	Codeigniter

Configuration 1 [-]

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62

History

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-01-24T19:55:10.000Z

Updated: 2025-04-23T19:09:30.971Z

Reserved: 2021-11-16T00:00:00.000Z

Link: CVE-2022-21715

Vulnrichment

Updated: 2024-08-03T02:53:35.389Z

NVD

Status : Modified

Published: 2022-01-24T20:15:08.713

Modified: 2024-11-21T06:45:17.603

Link: CVE-2022-21715

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CodeIgniter4", "vendor": "codeigniter4", "versions": [{"status": "affected", "version": "< 4.1.8"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-24T19:55:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"tags": ["x_refsource_MISC"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}], "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}, "title": "Cross-site Scripting Vulnerability in CodeIgniter4", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-21715", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting Vulnerability in CodeIgniter4"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CodeIgniter4", "version": {"version_data": [{"version_value": "< 4.1.8"}]}}]}, "vendor_name": "codeigniter4"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "refsource": "CONFIRM", "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"name": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "refsource": "MISC", "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"name": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "refsource": "MISC", "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}]}, "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:35.389Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:11:39.225722Z", "id": "CVE-2022-21715", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:09:30.971Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-21715", "datePublished": "2022-01-24T19:55:10.000Z", "dateReserved": "2021-11-16T00:00:00.000Z", "dateUpdated": "2025-04-23T19:09:30.971Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:35.389Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-21715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:11:39.225722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:11:40.553Z"}}], "cna": {"title": "Cross-site Scripting Vulnerability in CodeIgniter4", "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "codeigniter4", "product": "CodeIgniter4", "versions": [{"status": "affected", "version": "< 4.1.8"}]}], "references": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "tags": ["x_refsource_MISC"]}, {"url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-01-24T19:55:10.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 4.1.8"}]}, "product_name": "CodeIgniter4"}]}, "vendor_name": "codeigniter4"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "refsource": "CONFIRM"}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "name": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "refsource": "MISC"}, {"url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "name": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-21715", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting Vulnerability in CodeIgniter4", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-21715", "state": "PUBLISHED", "dateUpdated": "2025-04-23T19:09:30.971Z", "dateReserved": "2021-11-16T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-01-24T19:55:10.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1C63CF8-7611-44C2-A2A4-18FD834638A1", "versionEndExcluding": "4.1.8", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}, {"lang": "es", "value": "CodeIgniter4 es la rama versi\u00f3n 4.x de CodeIgniter, un framework web PHP full-stack. Se ha encontrado una vulnerabilidad de tipo cross-site scripting (XSS) en \"API\\ResponseTrait\" en Codeigniter4 versiones anteriores a 4.1.8. Los atacantes pueden realizar ataques de tipo XSS si una v\u00edctima potencial est\u00e1 usando \"API\\ResponseTrait\". La versi\u00f3n 4.1.8, contiene un parche para esta vulnerabilidad. Se presentan dos posibles soluciones disponibles. Los usuarios pueden evitar el uso de \"APIResponseTrait\" o \"ResourceController\" Los usuarios tambi\u00e9n pueden deshabilitar la Ruta Autom\u00e1tica y usar s\u00f3lo las rutas definidas"}], "id": "CVE-2022-21715", "lastModified": "2024-11-21T06:45:17.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-24T20:15:08.713", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}