PT-2021-22422 · Cachet · Cachet

Phith0N

Published

2021-08-26

Updated

2022-03-18

CVE-2021-39165

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Cachet versions prior to 2.5

Description The issue is a SQL injection vulnerability located in the SearchableTrait#scopeSearch() function. This vulnerability can be exploited by attackers without authentication to exfiltrate sensitive data from the database, including administrator passwords and sessions.

Recommendations Update to version 2.5 or later in the https://github.com/fiveai/Cachet fork to fix this vulnerability. As a temporary workaround, consider restricting access to the SearchableTrait#scopeSearch() function until a patch is available.

Exploit

Fix

SQL injection

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-287

Related Identifiers

CVE-2021-39165

GHSA-79MG-4W23-4FQC

Affected Products

Cachet

PT-2021-22422 · Cachet · Cachet

CVE-2021-39165

Weakness Enumeration

Related Identifiers

Affected Products

References · 10