Researchers from SonarSource have warned that several security flaws in the open source status page system Cachet might allow an attacker to execute arbitrary code and steal sensitive data.
The first flaw (CVE-2021-39172) is a newline injection that occurs when users change the configuration of an instance, such as the email settings. It allows attackers to inject new directives and change the behavior of fundamental functionalities, allowing arbitrary code to be executed.
This feature also has a second vulnerability (CVE-2021-39174), which allows attackers to exfiltrate secrets saved in the configuration file, such as database passwords and framework keys.
Finally, according to experts, the last flaw (CVE-2021-39173) allows an attacker to modify the setup process even if the target instance is already fully configured.
To Read More: portswigger
For more such updates follow us on Google News ITsecuritywire News.
