CVE-2022-35943 MEDIUM

CVE-2022-35943: SameSite may allow cross-site request forgery (CSRF) protection to be bypassed

Vendor Codeigniter4
Product shield
Weakness CWE-352 · CSRF
Published August 12, 2022
Last update April 22, 2025

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

Key dates

02Disclosure timeline

August 12, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE