CVE-2023-46240
published 2023-10-31CVE-2023-46240: CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.62%
45.3th percentile
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeigniter | codeigniter | < 4.4.3 | 4.4.3 |
| codeigniter4 | codeigniter4 | < 4.4.3 | 4.4.3 |
| codeigniter4 | framework | >= 0 < 4.4.3 | 4.4.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
ghsa·2023-10-30
CVE-2023-46240 [HIGH] CWE-209 CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
### Impact
If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked.
### Patches
Upgrade to v4.4.3 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_443.html).
### Workarounds
Replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues)
* Email us at [SECU
OSV
CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
osv·2023-10-30
CVE-2023-46240 [HIGH] CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
### Impact
If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked.
### Patches
Upgrade to v4.4.3 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_443.html).
### Workarounds
Replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues)
* Email us at [SECU
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://codeigniter4.github.io/userguide/general/errors.html#error-reportinghttps://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfjhttps://codeigniter4.github.io/userguide/general/errors.html#error-reportinghttps://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj
2023-10-31
Published