January 29, 2025 By Bill Toulas
Three vulnerabilities discovered in the open-source PHP package Voyager for managing Laravel applications could be used for remote code execution attacks.
The issues remain unfixed and can be exploited against an authenticated Voyager user that clicks on a malicious link.
Vulnerability researchers at SonarSource, a code quality and security company, say that they tried to report the flaws to the Voyager maintainers but received no reply within the 90-day window the company provides as per its vulnerability disclosure policy.
Vulnerability details
The SonarQube Cloud team found the first vulnerability in Voyager, an arbitrary file write, during its routine scans. Looking closer at the project, they discovered additional security issues that could be combined to run one-click remote code execution attacks on reachable Voyager instances.
The three flaws are summarizes as follows:
- CVE-2024-55417 – Voyager's media upload feature allows attackers to upload malicious files by bypassing MIME-type verification. By crafting a polyglot file that appears as an image or video but contains executable PHP code, an attacker can achieve remote code execution if the file is processed on the server.
- CVE-2024-55416 – The /admin/compass endpoint in Voyager improperly sanitizes user input, allowing attackers to inject JavaScript into popup messages. If an authenticated admin clicks on a malicious link, the script executes in their browser, potentially allowing attackers to perform actions on their behalf, including escalating to remote code execution.
- CVE-2024-55415 – A flaw in the file management system enables attackers to manipulate file paths and delete or access arbitrary files on the server. By exploiting this, attackers can disrupt services, erase critical files, or extract sensitive information.
