Impact
Deserialization of Untrusted Data was found in the old() function in CodeIgniter4.
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.
Patches
Upgrade to v4.1.6 or later.
Workarounds
Do not use:
old() and form_helperRedirectResponse::withInput() and redirect()->withInput()
References
For more information
If you have any questions or comments about this advisory:
Impact
Deserialization of Untrusted Data was found in the
old()function in CodeIgniter4.Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.
Patches
Upgrade to v4.1.6 or later.
Workarounds
Do not use:
old()and form_helperRedirectResponse::withInput()andredirect()->withInput()References
For more information
If you have any questions or comments about this advisory: