Three vulnerabilities found within the open-source PHP package deal Voyager for managing Laravel functions may very well be used for distant code execution assaults.
The problems stay unfixed and might be exploited towards an authenticated Voyager consumer that clicks on a malicious hyperlink.
Vulnerability researchers at SonarSource, a code high quality and safety firm, say that they tried to report the failings to the Voyager maintainers however obtained no reply throughout the 90-day window the corporate offers as per its vulnerability disclosure coverage.
Vulnerability particulars
The SonarQube Cloud workforce discovered the primary vulnerability in Voyager, an arbitrary file write, throughout its routine scans. Trying nearer on the challenge, they found further safety points that may very well be mixed to run one-click distant code execution assaults on reachable Voyager cases.
The three flaws are summarizes as follows:
- CVE-2024-55417 – Voyager’s media add characteristic permits attackers to add malicious recordsdata by bypassing MIME-type verification. By crafting a polyglot file that seems as a picture or video however comprises executable PHP code, an attacker can obtain distant code execution if the file is processed on the server.
- CVE-2024-55416 – The /admin/compass endpoint in Voyager improperly sanitizes consumer enter, permitting attackers to inject JavaScript into popup messages. If an authenticated admin clicks on a malicious hyperlink, the script executes of their browser, doubtlessly permitting attackers to carry out actions on their behalf, together with escalating to distant code execution.
- CVE-2024-55415 – A flaw within the file administration system permits attackers to govern file paths and delete or entry arbitrary recordsdata on the server. By exploiting this, attackers can disrupt companies, erase vital recordsdata, or extract delicate data.
In response to SonarQube Cloud researchers, they reported the three points to Voyager maintainers over e mail and GitHub since September 11, 2024, however obtained no communication again.
Within the 90-day disclosure interval, they tried a number of occasions to acquire a reply and inform that the general public disclosure date was approaching.
The researchers say that additionally they opened a safety report through GitHub on November 28 and that they notified the Voyager maintainers that the 90-day disclosure window expired and so they have been about to share the technical particulars publicly.
Influence and suggestions
Voyager is primarily utilized by Laravel builders who want a pre-built admin panel to handle their functions.
Typical customers are net growth corporations, startups, freelance builders, Laravel hobbyists, and usually, small to medium-sized companies that use Laravel for inner instruments or CMS-based functions.
The Voyager challenge is extremely in style because it has been forked 2,700 occasions on GitHub, obtained greater than 11,800 stars and counts hundreds of thousands of downloads.
On condition that the three flaws SonarQube found stay unpatched, Voyager customers ought to take into account proscribing entry to trusted customers solely, limiting “browse_media” permissions to stop unauthorized file uploads, and utilizing role-based entry management (RBAC) to attenuate publicity.
Server-level safety measures embody disabling the execution of PHP recordsdata, utilizing strict MIME sort validation to reject polyglot recordsdata, and usually monitoring logs for uncommon file add or entry exercise.
If safety is vital, keep away from utilizing Voyager in manufacturing environments till official patches are out, or take into account migrating to a different Laravel admin panel.