ByteOS Network

Vulnerability Details :

CVE-2014-8684

Assigner-mitre

Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca

Published At-19 Sep, 2017 | 19:00

Updated At-06 Aug, 2024 | 13:26

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:mitre

Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca

Published At:19 Sep, 2017 | 19:00

Updated At:06 Aug, 2024 | 13:26

▼CVE Numbering Authority (CNA)

Affected Products

Vendor

n/a

Product

n/a

Versions

Affected

Problem Types

Type	CWE ID	Description
text	N/A	n/a

Type: text

CWE ID: N/A

Description: n/a

References

Hyperlink	Resource
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection	x_refsource_MISC
http://seclists.org/fulldisclosure/2014/May/54	mailing-list x_refsource_FULLDISC
https://github.com/kohana/core/pull/492	x_refsource_CONFIRM
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html	x_refsource_MISC

Hyperlink: https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Resource:

x_refsource_MISC

Hyperlink: http://seclists.org/fulldisclosure/2014/May/54

Resource:

mailing-list

x_refsource_FULLDISC

Hyperlink: https://github.com/kohana/core/pull/492

Resource:

x_refsource_CONFIRM

Hyperlink: http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection	x_refsource_MISC x_transferred
http://seclists.org/fulldisclosure/2014/May/54	mailing-list x_refsource_FULLDISC x_transferred
https://github.com/kohana/core/pull/492	x_refsource_CONFIRM x_transferred
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html	x_refsource_MISC x_transferred

Hyperlink: https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Resource:

x_refsource_MISC

x_transferred

Hyperlink: http://seclists.org/fulldisclosure/2014/May/54

Resource:

mailing-list

x_refsource_FULLDISC

x_transferred

Hyperlink: https://github.com/kohana/core/pull/492

Resource:

x_refsource_CONFIRM

x_transferred

Hyperlink: http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html

Resource:

x_refsource_MISC

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cve@mitre.org

Published At:19 Sep, 2017 | 19:29

Updated At:20 Apr, 2025 | 01:37

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P

Type: Primary

Version: 3.0

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 2.0

Base score: 7.5

Base severity: HIGH

Vector:

AV:N/AC:L/Au:N/C:P/I:P/A:P

CPE Matches

codeigniter>>codeigniter>>Versions up to 2.2.6(inclusive)

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

kohanaframework>>kohana>>3.2.3

cpe:2.3:a:kohanaframework:kohana:3.2.3:*:*:*:*:*:*:*

kohanaframework>>kohana>>3.3.0

cpe:2.3:a:kohanaframework:kohana:3.3.0:*:*:*:*:*:*:*

kohanaframework>>kohana>>3.3.1

cpe:2.3:a:kohanaframework:kohana:3.3.1:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-310	Primary	nvd@nist.gov

CWE ID: CWE-310

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html	cve@mitre.org	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2014/May/54	cve@mitre.org	Mailing List Third Party Advisory
https://github.com/kohana/core/pull/492	cve@mitre.org	Third Party Advisory
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection	cve@mitre.org	Third Party Advisory
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html	af854a3a-2127-422b-91ae-364da2661108	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2014/May/54	af854a3a-2127-422b-91ae-364da2661108	Mailing List Third Party Advisory
https://github.com/kohana/core/pull/492	af854a3a-2127-422b-91ae-364da2661108	Third Party Advisory
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection	af854a3a-2127-422b-91ae-364da2661108	Third Party Advisory

Hyperlink: http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html

Source: cve@mitre.org

Resource:

Third Party Advisory

VDB Entry

Hyperlink: http://seclists.org/fulldisclosure/2014/May/54

Source: cve@mitre.org

Resource:

Mailing List

Third Party Advisory

Hyperlink: https://github.com/kohana/core/pull/492

Source: cve@mitre.org

Resource:

Third Party Advisory

Hyperlink: https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Source: cve@mitre.org

Resource:

Third Party Advisory

Hyperlink: http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Third Party Advisory

VDB Entry

Hyperlink: http://seclists.org/fulldisclosure/2014/May/54

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Mailing List

Third Party Advisory

Hyperlink: https://github.com/kohana/core/pull/492

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Third Party Advisory

Hyperlink: https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Third Party Advisory

Similar CVEs

7Records found

CVE-2016-10131

Matching Score-8

Assigner-MITRE Corporation

View Details

Matching Score-8

Assigner-MITRE Corporation

CVSS Score-9.8||CRITICAL

EPSS-3.34% / 86.78%

7 Day CHG~0.00%

Published-12 Jan, 2017 | 06:06

Updated-20 Apr, 2025 | 01:37

system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments.

Vendor-codeigniter n/a

Product-codeigniter n/a

CWE ID-CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2015-5725

Matching Score-8

Assigner-MITRE Corporation

View Details

Matching Score-8

Assigner-MITRE Corporation

CVSS Score-9.8||CRITICAL

EPSS-0.70% / 71.08%

7 Day CHG~0.00%

Published-21 Feb, 2018 | 16:00

Updated-06 Aug, 2024 | 06:59

SQL injection vulnerability in the offset method in the Active Record class in CodeIgniter before 2.2.4 allows remote attackers to execute arbitrary SQL commands via vectors involving the offset variable.

Vendor-codeigniter n/a

Product-codeigniter n/a

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2014-8686

Matching Score-8

Assigner-MITRE Corporation

View Details

Matching Score-8

Assigner-MITRE Corporation

CVSS Score-9.8||CRITICAL

EPSS-31.17% / 96.60%

7 Day CHG~0.00%

Published-19 Sep, 2017 | 19:00

Updated-20 Apr, 2025 | 01:37

CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.

Vendor-codeigniter n/a

Product-codeigniter n/a

CVE-2022-24711

Matching Score-8

Assigner-GitHub, Inc.

View Details

Matching Score-8

Assigner-GitHub, Inc.

CVSS Score-9.4||CRITICAL

EPSS-0.41% / 60.71%

7 Day CHG+0.02%

Published-28 Feb, 2022 | 15:45

Updated-23 Apr, 2025 | 19:00

Remote CLI Command Execution Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerability.

Vendor-codeigniter codeigniter4

Product-codeigniter CodeIgniter4

CWE ID-CWE-20

Improper Input Validation

CVE-2022-21647

Matching Score-8

Assigner-GitHub, Inc.

View Details

Matching Score-8

Assigner-GitHub, Inc.

CVSS Score-7.7||HIGH

EPSS-10.87% / 93.11%

7 Day CHG~0.00%

Published-04 Jan, 2022 | 20:05

Updated-23 Apr, 2025 | 19:14

Deserialization of Untrusted Data in Codeigniter4

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.

Vendor-codeigniter codeigniter4

Product-codeigniter CodeIgniter4

CWE ID-CWE-502

Deserialization of Untrusted Data

CVE-2019-8979

Matching Score-8

Assigner-MITRE Corporation

View Details

Matching Score-8

Assigner-MITRE Corporation

CVSS Score-9.8||CRITICAL

EPSS-8.41% / 91.95%