Description
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj
Patch x_refsource_misc
https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563
Product x_refsource_misc
https://codeigniter4.github.io/userguide/general/errors.html#error-reporting
Scores
CVSS v3
7.5
EPSS
0.0062
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-209
Status
published
Products (2)
codeigniter/codeigniter
< 4.4.3
codeigniter4/framework
0 - 4.4.3Packagist
Published
Oct 31, 2023
Tracked Since
Feb 18, 2026