CVE-2022-21715 - Vulnerability Details

Vendors	Products
Codeigniter	Codeigniter

Link	Providers
https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "CodeIgniter4", "vendor": "codeigniter4", "versions": [{"status": "affected", "version": "< 4.1.8"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-24T19:55:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"tags": ["x_refsource_MISC"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}], "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}, "title": "Cross-site Scripting Vulnerability in CodeIgniter4", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-21715", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting Vulnerability in CodeIgniter4"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CodeIgniter4", "version": {"version_data": [{"version_value": "< 4.1.8"}]}}]}, "vendor_name": "codeigniter4"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "refsource": "CONFIRM", "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"name": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "refsource": "MISC", "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"name": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "refsource": "MISC", "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}]}, "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:35.389Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:11:39.225722Z", "id": "CVE-2022-21715", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:09:30.971Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-21715", "datePublished": "2022-01-24T19:55:10.000Z", "dateReserved": "2021-11-16T00:00:00.000Z", "dateUpdated": "2025-04-23T19:09:30.971Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : CodeIgniter4 (string)

vendor : codeigniter4 (string)

versions : [ »

0 : { »

status : affected (string)

version : < 4.1.8 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. (string)

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (string)

version : 3.1 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-79 (string)

description : CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2022-01-24T19:55:10.000Z (string)

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

}

]

source : { »

advisory : GHSA-7528-7jg5-6g62 (string)

discovery : UNKNOWN (string)

}

title : Cross-site Scripting Vulnerability in CodeIgniter4 (string)

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security-advisories@github.com (string)

ID : CVE-2022-21715 (string)

STATE : PUBLIC (string)

TITLE : Cross-site Scripting Vulnerability in CodeIgniter4 (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : CodeIgniter4 (string)

version : { »

version_data : [ »

0 : { »

version_value : < 4.1.8 (string)

}

]

}

]

}

vendor_name : codeigniter4 (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

refsource : CONFIRM (string)

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

}

1 : { »

name : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

refsource : MISC (string)

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

}

2 : { »

name : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

refsource : MISC (string)

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

}

]

}

source : { »

advisory : GHSA-7528-7jg5-6g62 (string)

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T02:53:35.389Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

}

]

}

1 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2025-04-23T14:11:39.225722Z (string)

id : CVE-2022-21715 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-04-23T19:09:30.971Z (string)

}

]

}

cveMetadata : { »

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

assignerShortName : GitHub_M (string)

cveId : CVE-2022-21715 (string)

datePublished : 2022-01-24T19:55:10.000Z (string)

dateReserved : 2021-11-16T00:00:00.000Z (string)

dateUpdated : 2025-04-23T19:09:30.971Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:35.389Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-21715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T14:11:39.225722Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T14:11:40.553Z"}}], "cna": {"title": "Cross-site Scripting Vulnerability in CodeIgniter4", "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "codeigniter4", "product": "CodeIgniter4", "versions": [{"status": "affected", "version": "< 4.1.8"}]}], "references": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "tags": ["x_refsource_MISC"]}, {"url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-01-24T19:55:10.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-7528-7jg5-6g62", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 4.1.8"}]}, "product_name": "CodeIgniter4"}]}, "vendor_name": "codeigniter4"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62", "refsource": "CONFIRM"}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "name": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd", "refsource": "MISC"}, {"url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "name": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-21715", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting Vulnerability in CodeIgniter4", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-21715", "state": "PUBLISHED", "dateUpdated": "2025-04-23T19:09:30.971Z", "dateReserved": "2021-11-16T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-01-24T19:55:10.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

}

1 : { »

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

}

2 : { »

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T02:53:35.389Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2022-21715 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2025-04-23T14:11:39.225722Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-04-23T14:11:40.553Z (string)

}

]

cna : { »

title : Cross-site Scripting Vulnerability in CodeIgniter4 (string)

source : { »

advisory : GHSA-7528-7jg5-6g62 (string)

discovery : UNKNOWN (string)

}

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 5.4 (number)

attackVector : NETWORK (string)

baseSeverity : MEDIUM (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (string)

integrityImpact : LOW (string)

userInteraction : REQUIRED (string)

attackComplexity : LOW (string)

availabilityImpact : NONE (string)

privilegesRequired : NONE (string)

confidentialityImpact : LOW (string)

}

]

affected : [ »

0 : { »

vendor : codeigniter4 (string)

product : CodeIgniter4 (string)

versions : [ »

0 : { »

status : affected (string)

version : < 4.1.8 (string)

}

]

}

]

references : [ »

0 : { »

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

}

1 : { »

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

tags : [ »

0 : x_refsource_MISC (string)

]

}

2 : { »

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

tags : [ »

0 : x_refsource_MISC (string)

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-79 (string)

description : CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2022-01-24T19:55:10.000Z (string)

}

x_legacyV4Record : { »

impact : { »

cvss : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 5.4 (number)

attackVector : NETWORK (string)

baseSeverity : MEDIUM (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (string)

integrityImpact : LOW (string)

userInteraction : REQUIRED (string)

attackComplexity : LOW (string)

availabilityImpact : NONE (string)

privilegesRequired : NONE (string)

confidentialityImpact : LOW (string)

}

source : { »

advisory : GHSA-7528-7jg5-6g62 (string)

discovery : UNKNOWN (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

version : { »

version_data : [ »

0 : { »

version_value : < 4.1.8 (string)

}

]

}

product_name : CodeIgniter4 (string)

}

]

}

vendor_name : codeigniter4 (string)

}

]

}

data_type : CVE (string)

references : { »

reference_data : [ »

0 : { »

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

name : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

refsource : CONFIRM (string)

}

1 : { »

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

name : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

refsource : MISC (string)

}

2 : { »

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

name : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

refsource : MISC (string)

}

]

}

data_format : MITRE (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (string)

}

]

}

]

}

data_version : 4.0 (string)

CVE_data_meta : { »

ID : CVE-2022-21715 (string)

STATE : PUBLIC (string)

TITLE : Cross-site Scripting Vulnerability in CodeIgniter4 (string)

ASSIGNER : security-advisories@github.com (string)

}

cveMetadata : { »

cveId : CVE-2022-21715 (string)

state : PUBLISHED (string)

dateUpdated : 2025-04-23T19:09:30.971Z (string)

dateReserved : 2021-11-16T00:00:00.000Z (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

datePublished : 2022-01-24T19:55:10.000Z (string)

assignerShortName : GitHub_M (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1C63CF8-7611-44C2-A2A4-18FD834638A1", "versionEndExcluding": "4.1.8", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only."}, {"lang": "es", "value": "CodeIgniter4 es la rama versi\u00f3n 4.x de CodeIgniter, un framework web PHP full-stack. Se ha encontrado una vulnerabilidad de tipo cross-site scripting (XSS) en \"API\\ResponseTrait\" en Codeigniter4 versiones anteriores a 4.1.8. Los atacantes pueden realizar ataques de tipo XSS si una v\u00edctima potencial est\u00e1 usando \"API\\ResponseTrait\". La versi\u00f3n 4.1.8, contiene un parche para esta vulnerabilidad. Se presentan dos posibles soluciones disponibles. Los usuarios pueden evitar el uso de \"APIResponseTrait\" o \"ResourceController\" Los usuarios tambi\u00e9n pueden deshabilitar la Ruta Autom\u00e1tica y usar s\u00f3lo las rutas definidas"}], "id": "CVE-2022-21715", "lastModified": "2024-11-21T06:45:17.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-24T20:15:08.713", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:* (string)

matchCriteriaId : B1C63CF8-7611-44C2-A2A4-18FD834638A1 (string)

versionEndExcluding : 4.1.8 (string)

versionStartIncluding : 4.0.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only. (string)

}

1 : { »

lang : es (string)

value : CodeIgniter4 es la rama versión 4.x de CodeIgniter, un framework web PHP full-stack. Se ha encontrado una vulnerabilidad de tipo cross-site scripting (XSS) en "API\ResponseTrait" en Codeigniter4 versiones anteriores a 4.1.8. Los atacantes pueden realizar ataques de tipo XSS si una víctima potencial está usando "API\ResponseTrait". La versión 4.1.8, contiene un parche para esta vulnerabilidad. Se presentan dos posibles soluciones disponibles. Los usuarios pueden evitar el uso de "APIResponseTrait" o "ResourceController" Los usuarios también pueden deshabilitar la Ruta Automática y usar sólo las rutas definidas (string)

}

]

id : CVE-2022-21715 (string)

lastModified : 2024-11-21T06:45:17.603 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:N/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 2.5 (number)

source : security-advisories@github.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 6.1 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2022-01-24T20:15:08.713 (string)

references : [ »

0 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Mitigation (string)

1 : Vendor Advisory (string)

]

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

}

1 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

}

2 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Mitigation (string)

1 : Third Party Advisory (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mitigation (string)

1 : Vendor Advisory (string)

]

url : https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mitigation (string)

1 : Third Party Advisory (string)

]

url : https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62 (string)

}

]

sourceIdentifier : security-advisories@github.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : security-advisories@github.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object