SB2022100669 - Improper Initialization in CodeIgniter4
Published: October 6, 2022 Updated: May 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Initialization (CVE-ID: CVE-2022-39284)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass intended cookie security restrictions.
The vulnerability exists due to improper initialization in set_cookie() and Response::setCookie() when issuing cookies based on Config\Cookie settings. A remote attacker can cause cookies to be issued without the secure or HttpOnly flag to bypass intended cookie security restrictions.
Session cookies are not affected.
Remediation
Install update from vendor's website.