CVE-2022-21715

Description

### Impact Cross-Site Scripting (XSS) vulnerability was found in `API\ResponseTrait` in Codeigniter4. Attackers can do XSS attacks if you are using `API\ResponseTrait`. ### Patches Upgrade to v4.1.8 or later. ### Workarounds Do one of the following: 1. Do not use `API\ResponseTrait` nor `ResourceController` 2. Disable Auto Route and [Use Defined Routes Only](https://codeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only) ### References - [Cross Site Scripting (XSS) Software Attack | OWASP Foundation](https://owasp.org/www-community/attacks/xss/) ### For more information If you have any questions or comments about this advisory: * Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues) * Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)

How to fix CVE-2022-21715

To remediate CVE-2022-21715, upgrade the affected package to a fixed version below.

• —upgrade to 4.1.8 or later
• —upgrade to 4.1.8 or later

Is CVE-2022-21715 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 4.0.0, < 4.1.8
• from 0, < 4.1.8

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-21715
• PATCHgithub.com/codeigniter4/framework
• WEBcodeigniter4.github.io/userguide/incoming/routing.html#use-defined-routes-only
• WEBgithub.com/codeigniter4/CodeIgniter4/commit/70d881cf5322b7c32e69516aebd2273ac6a1e8dd