Improper Control of Generation of Code ('Code Injection') Affecting cachethq/cachet package, versions >=0.0.0, <v2.4.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.11% (47th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Control of Generation of Code ('Code Injection') vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-CACHETHQCACHET-5961710
  • published12 Oct 2023
  • disclosed11 Oct 2023
  • creditrive-n

Introduced: 11 Oct 2023

CVE-2023-43661  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade cachethq/cachet to version v2.4.0 or higher.

Overview

cachethq/cachet is an open source status page system, for everyone.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') through the template functionality, an attacker can execute any code on the server due to bad filtration and an outdated twig version. This is only exploitable if the user has the ability to create templates.

References

CVSS Scores

version 3.1