Skip to main content
CyberSecurity

Unpatched PHP Voyager Flaws Expose Servers to One-Click RCE

simran January 30, 2025
Unpatched PHP Voyager Flaws Expose Servers to One-Click RCE

Unpatched PHP Voyager Flaws

Security Flaws Disclosed in Open-Source PHP Package Voyager

By Ravie Lakshmanan on January 30, 2025

Image: Unpatched PHP Voyager Flaws

Three security flaws have been disclosed in the open-source PHP package Voyager that could be exploited by an attacker to achieve one-click remote code execution on affected instances.

"When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server," Sonar researcher Yaniv Nizry said in a write-up published earlier this week.

Vulnerabilities Disclosed

The identified issues, which remain unpatched to date despite responsible disclosure on September 11, 2024, are listed below:

  • CVE-2024-55417: An arbitrary file write vulnerability in the "/admin/media/upload" endpoint
  • CVE-2024-55416: A reflected cross-site scripting (XSS) vulnerability in the "/admin/compass" endpoint
  • CVE-2024-55415: An arbitrary file leak and deletion vulnerability

Exploitation of Vulnerabilities

A malicious attacker could leverage Voyager’s media upload feature to upload a malicious file in a manner that bypasses MIME type verification, and make use of a polyglot file that appears as an image or video but contains executable PHP code to trick the server into processing it as a PHP script, thereby resulting in remote code execution.

The vulnerability could also be chained with CVE-2024-55416, elevating it into a critical threat that leads to code execution when a victim clicks on a malicious link.

Chaining Vulnerabilities

"The vulnerability could also be chained with CVE-2024-55416, elevating it into a critical threat that leads to code execution when a victim clicks on a malicious link," Nizry explained. "This means that if an authenticated user clicks on a specially crafted link, arbitrary JavaScript code can be executed. As a result, an attacker can perform any subsequent action in the context of the victim."

Conclusion

In the absence of a fix, users are advised to exercise caution when using the project in their applications.

Stay Informed

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Source Link

Next Post

You May Also Like

Artist Yinka Ilori uses AI to bring vision to lifeTech

Artist Yinka Ilori uses AI to bring vision to life

January 31, 2025
Allegedly AI-generated Blade Runner imagery shown by Tesla
Musk Dismisses AI-Generated ‘Blade Runner’ SuitNews

Musk Dismisses AI-Generated ‘Blade Runner’ Suit

February 5, 2025
Vallejo Police Department
Bizarre Cult Linked to Multiple MurdersNews

Bizarre Cult Linked to Multiple Murders

February 1, 2025

FUSION MAG