Improper Initialization in CodeIgniter4 - CVE-2022-39284
Published: October 6, 2022 / Updated: May 23, 2026
CodeIgniter4
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass intended cookie security restrictions.
The vulnerability exists due to improper initialization in set_cookie() and Response::setCookie() when issuing cookies based on Config\Cookie settings. A remote attacker can cause cookies to be issued without the secure or HttpOnly flag to bypass intended cookie security restrictions.
Session cookies are not affected.