A trio of severe security vulnerabilities has been unearthed within the open-source PHP framework Voyager, rendering affected instances susceptible to remote code execution (RCE) with a single user interaction.
According to Sonar researcher Yaniv Nizry, when an authenticated Voyager user is lured into clicking a maliciously engineered hyperlink, adversaries can surreptitiously inject and execute arbitrary code on the underlying server. This alarming revelation was detailed in an in-depth security analysis published earlier this week.
The Unresolved Security Gaps
Despite responsible disclosure on September 11, 2024, the identified vulnerabilities remain unpatched, heightening the risk for deployments still leveraging vulnerable versions of Voyager. The disclosed flaws are as follows:
- CVE-2024-55417 – Arbitrary file write flaw within the
"/admin/media/upload"endpoint. - CVE-2024-55416 – Reflected Cross-Site Scripting (XSS) vulnerability in the
"/admin/compass"endpoint. - CVE-2024-55415 – File exposure and arbitrary deletion flaw.
Exploitation Pathway & Attack Vector
Attackers can weaponize Voyager’s media upload function to clandestinely introduce malicious payloads by circumventing MIME-type validation mechanisms. By crafting a polyglot file, which masquerades as a benign image or video but harbors executable PHP code, an attacker can manipulate the system into treating the file as a valid PHP script—culminating in remote code execution.
Moreover, this exploit can be amplified when combined with CVE-2024-55416, escalating the severity by enabling code execution upon user interaction. If a logged-in user unwittingly follows a maliciously crafted link, JavaScript payloads can be injected, granting attackers the ability to execute commands within the victim’s authenticated session.
“This essentially means that once an authenticated user interacts with the trap, the injected JavaScript executes immediately,” Nizry elaborated. “Consequently, the attacker gains control to perform any subsequent action within the victim’s scope.”
Meanwhile, CVE-2024-55415 presents an equally pressing concern. This flaw allows nefarious actors to indiscriminately erase arbitrary files from the system or combine it with the XSS vulnerability to extract confidential data.
Mitigation & Defensive Measures
Since an official patch has yet to be issued, security-conscious users are strongly urged to exercise extreme vigilance when utilizing Voyager within their applications. Until a remediation is available, organizations should consider restricting access, implementing Web Application Firewalls (WAFs), and conducting thorough security audits to mitigate potential exploitation.
