VulnerableCode Package Details - pkg:composer/cachethq/cachet@2.3.14

Search for packages

Vulnerability	Summary	Fixed by
VCID-94ep-ygm1-rfe8 Aliases: CVE-2021-39174 GHSA-88f9-7xxh-c688	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv file, e.g. the application secret (`APP_KEY`) and various passwords (email, database, etc). This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of nested variables in the resulting dotenv configuration file. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.	2.5.1 Affected by 0 other vulnerabilities.
VCID-bzeq-45zg-y3f2 Aliases: CVE-2021-39173 GHSA-r67m-m8c7-jp83	Incorrect Type Conversion or Cast Cachet is an open source status page system. Prior to version 2.5.1 authenticated users, regardless of their privileges (User or Admin), can trick Cachet and install the instance again, leading to arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving the middleware `ReadyForUse`, which now performs a stricter validation of the instance name. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.	2.5.1 Affected by 0 other vulnerabilities.
VCID-gm6b-9jbz-qkd3 Aliases: CVE-2021-39172 GHSA-9jxw-cfrh-jxq6	Improper Neutralization of CRLF Sequences ('CRLF Injection') Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.	2.5.1 Affected by 0 other vulnerabilities.
VCID-gmft-drz1-57gh Aliases: CVE-2021-39165 GHSA-79mg-4w23-4fqc	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.	There are no reported fixed by versions.
VCID-ryeh-pvue-jqfy Aliases: CVE-2023-43661 GHSA-hv79-p62r-wg3p	Improper Control of Generation of Code ('Code Injection') Cachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb043e109d2a262ce3974e863c54e9e5f5e0587 of the 2.4 branch contains a patch for this issue.	2.4.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-94ep-ygm1-rfe8
Aliases:
CVE-2021-39174
GHSA-88f9-7xxh-c688

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv file, e.g. the application secret (`APP_KEY`) and various passwords (email, database, etc). This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of nested variables in the resulting dotenv configuration file. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

2.5.1
Affected by 0 other vulnerabilities.

VCID-bzeq-45zg-y3f2
Aliases:
CVE-2021-39173
GHSA-r67m-m8c7-jp83

Incorrect Type Conversion or Cast Cachet is an open source status page system. Prior to version 2.5.1 authenticated users, regardless of their privileges (User or Admin), can trick Cachet and install the instance again, leading to arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving the middleware `ReadyForUse`, which now performs a stricter validation of the instance name. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

2.5.1
Affected by 0 other vulnerabilities.

VCID-gm6b-9jbz-qkd3
Aliases:
CVE-2021-39172
GHSA-9jxw-cfrh-jxq6

Improper Neutralization of CRLF Sequences ('CRLF Injection') Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

2.5.1
Affected by 0 other vulnerabilities.

VCID-gmft-drz1-57gh
Aliases:
CVE-2021-39165
GHSA-79mg-4w23-4fqc

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.

There are no reported fixed by versions.

VCID-ryeh-pvue-jqfy
Aliases:
CVE-2023-43661
GHSA-hv79-p62r-wg3p

Improper Control of Generation of Code ('Code Injection') Cachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb043e109d2a262ce3974e863c54e9e5f5e0587 of the 2.4 branch contains a patch for this issue.

2.4.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:13:36.997071+00:00	GitLab Importer	Affected by	VCID-ryeh-pvue-jqfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cachethq/cachet/CVE-2023-43661.yml	38.6.0
2026-06-06T00:57:28.398870+00:00	GitLab Importer	Affected by	VCID-bzeq-45zg-y3f2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cachethq/cachet/CVE-2021-39173.yml	38.6.0
2026-06-06T00:57:24.040729+00:00	GitLab Importer	Affected by	VCID-94ep-ygm1-rfe8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cachethq/cachet/CVE-2021-39174.yml	38.6.0
2026-06-06T00:57:14.687124+00:00	GitLab Importer	Affected by	VCID-gmft-drz1-57gh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cachethq/cachet/CVE-2021-39165.yml	38.6.0
2026-06-06T00:57:13.715594+00:00	GitLab Importer	Affected by	VCID-gm6b-9jbz-qkd3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/cachethq/cachet/CVE-2021-39172.yml	38.6.0