CVE-2022-35943: 
PHP vulnerability analysis and mitigation

Shield, an authentication and authorization framework for CodeIgniter 4, was found to contain a vulnerability (CVE-2022-35943) that could allow SameSite attackers to bypass the CSRF protection mechanism. The vulnerability was discovered and disclosed in August 2022, affecting Shield version 1.0.0-beta. The issue was patched in version 1.0.0-beta.2 (GitHub Advisory).

The vulnerability exists regardless of the CSRF protection configuration (cookie or session) and regeneration settings. For a successful attack, the attacker must have direct or indirect control (e.g., through XSS) over a subdomain of the target site. For example, if an attacker controls https://a.example.com/, they could potentially attack http://example.com/. The vulnerability received a CVSS v3.1 score of 5.9 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L (GitHub Advisory).

When successfully exploited, this vulnerability allows attackers to bypass the CSRF protection mechanisms in CodeIgniter Shield. This could potentially lead to unauthorized actions being performed on behalf of authenticated users, compromising the integrity of the application (GitHub Advisory).

Users should upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. If upgrading is not immediately possible, the following workarounds can be implemented: set Config\Security::$csrfProtection to 'session', remove old session data right after login, and regenerate CSRF token right after login (GitHub Advisory).