CVE-2022-21715 - Vulnerability Details

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00621.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Codeigniter	Codeigniter

Configuration 1 [-]

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-0495	CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.
Github GHSA	GHSA-7528-7jg5-6g62	Cross-site Scripting Vulnerability in CodeIgniter4

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
https://github.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62

History

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-01-24T19:55:10.000Z

Updated: 2025-04-23T19:09:30.971Z

Reserved: 2021-11-16T00:00:00.000Z

Link: CVE-2022-21715

Vulnrichment

Updated: 2024-08-03T02:53:35.389Z

NVD

Status : Modified

Published: 2022-01-24T20:15:08.713

Modified: 2024-11-21T06:45:17.603

Link: CVE-2022-21715

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object