CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-01-04T20:05:11
Updated: 2024-08-03T02:46:39.441Z
Reserved: 2021-11-16T00:00:00
Link: CVE-2022-21647
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-01-04T20:15:07.930
Modified: 2024-11-21T06:45:08.910
Link: CVE-2022-21647
Redhat
No data.