An attacker can inject arbitrary SQL code into the database by setting the value of the parameter to ' or_not_like() function in system\database\DB_query_builder.php. An attacker can leverage this vulnerability to run malicious code or obtain sensitive data.

End users are advised to update to latest version 3.2.2 or 3.3.3, as soon as possible.
Affected versions - Codeigniter 3.2.2, 3.3.3, 3.4.5, 3.5.7, 3.6.9, 3.7.11, 3.8.13, 3.9.15, 3.10.17, 3.11.19, 3.12.21, 3.13.23, 3.14.25, 3.15.27, 3.16.29, 3.17.31, 3.18.33, 3.19.35, 3.20.37, 3.21.39, 3.22.41, 3.23.43, 3.24.45, 3.25.47, 3.26.49 and 3.27.51.

Codeigniter 3.2.2

- CVE-2022-40834
An attacker can inject arbitrary SQL code into the database by setting the value of the parameter to ' or_not_like() function in system\database\DB_query_builder.php. An attacker can leverage this vulnerability to run malicious code or obtain sensitive data.
End users are advised to update to latest version 3.2.2 or 3.3.3, as soon as possible.
Affected versions - Codeigniter 3.2.2, 3.3.3, 3.4.5, 3.5.7, 3.6.9, 3.7.11, 3.8.13, 3.9.15, 3 .10 . 17 ,3 .11 . 19 ,3 .12 . 21 ,3 .13 . 23 ,3 .14 . 25 ,3 .15 . 27 ,3 0 0 6 5 1 2 7 9 8 2 8 5 6 2 7 1 8 4 9 5 1 2 7 9 8 2 8 5 6 2 7 1 8 4 9 5 1 2 7 9 8 2 8 5 6 2 7 1 8 4 9 5

Codeigniter 3.2.2 SQL Injection Vulnerability

Codeigniter 3.2.2 is not vulnerable to the SQL Injection vulnerability.

What is Codeigniter?

Codeigniter is a web application framework written in PHP. It is a very popular choice for new and experienced developers alike, with over 2 million downloads on the official website.

It allows you to create dynamic websites without writing any code, using pages, templates and features that you can set up quickly and easily, making it an excellent choice for beginners.

The framework supports both server-side and client-side scripting, which means that the same script can be used on either your server or on your browser.

Timeline

Published on: 10/07/2022 11:15:00 UTC
Last modified on: 10/08/2022 01:24:00 UTC

References