Three security flaws have been disclosed in the open-source PHP package Voyager that could be exploited by an attacker to achieve one-click remote code execution on affected instances.
“When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server,” Sonar researcher Yaniv Nizry said in a write-up published earlier this week.
The identified issues, which remain unpatched to date despite responsible disclosure on September 11, 2024, are listed below –
- CVE-2024-55417 – An arbitrary file write vulnerability in the “/admin/media/upload” endpoint
- CVE-2024-55416 – A reflected cross-site scripting (XSS) vulnerability in the “/admin/compass” endpoint
- CVE-2024-55415 – An arbitrary file leak and deletion vulnerability
A malicious attacker could leverage Voyager’s media upload feature to upload a malicious file in a manner that bypasses MIME type verification, and make use of a polyglot file that appears as an image or video but contains executable PHP code to trick the server into processing it as a PHP script, thereby resulting in remote code execution.
The vulnerability could also be chained with CVE-2024-55416, elevating it into a critical threat that leads to code execution when a victim clicks on a malicious link.
“This means that if an authenticated user clicks on a specially crafted link, arbitrary JavaScript code can be executed,” Nizry explained. “As a result, an attacker can perform any subsequent action in the context of the victim.”
CVE-2024-55415, on the other hand, concerns a flaw in the file management system that enables threat actors to wipe arbitrary files from the system, or exploit it in conjunction with the XSS vulnerability to extract the contents of the files.
In the absence of a fix, users are advised to exercise caution when using the project in their applications.