Description

A vulnerability was discovered in the CodeIgniter session handling code. This issue was reported to EllisLab and a fixed version (2.2.0) was released on 5th June 2014, which removed the _xor_encode() method and required the use of Mcrypt.

Remediation

Upgrade to the latest version of CodeIgniter. This problem was fixed in CodeIgniter version 2.2.0.

References

CodeIgniter Session Decoding Vulnerability

Related Vulnerabilities

Sensitive pages could be cached

Apache Server-Info Detected

Spring Boot Misconfiguration: Actuator endpoint security disabled

PHP open_basedir Is Not Configured

CodeIgniter development mode enabled

Severity

High

Classification

CWE-327 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Configuration