Three safety flaws have been disclosed within the open-source PHP package deal Voyager that might be exploited by an attacker to attain one-click distant code execution on affected cases.
“When an authenticated Voyager consumer clicks on a malicious hyperlink, attackers can execute arbitrary code on the server,” Sonar researcher Yaniv Nizry mentioned in a write-up printed earlier this week.
The recognized points, which stay unpatched up to now regardless of accountable disclosure on September 11, 2024, are listed beneath –
- CVE-2024-55417 – An arbitrary file write vulnerability within the “/admin/media/add” endpoint
- CVE-2024-55416 – A mirrored cross-site scripting (XSS) vulnerability within the “/admin/compass” endpoint
- CVE-2024-55415 – An arbitrary file leak and deletion vulnerability
A malicious attacker may leverage Voyager’s media add characteristic to add a malicious file in a fashion that bypasses MIME kind verification, and make use of a polyglot file that seems as a picture or video however accommodates executable PHP code to trick the server into processing it as a PHP script, thereby leading to distant code execution.
The vulnerability may be chained with CVE-2024-55416, elevating it right into a important menace that results in code execution when a sufferer clicks on a malicious hyperlink.
“Which means that if an authenticated consumer clicks on a specifically crafted hyperlink, arbitrary JavaScript code could be executed,” Nizry defined. “Because of this, an attacker can carry out any subsequent motion within the context of the sufferer.”
CVE-2024-55415, however, issues a flaw within the file administration system that permits menace actors to wipe arbitrary information from the system, or exploit it at the side of the XSS vulnerability to extract the contents of the information.
Within the absence of a repair, customers are suggested to train warning when utilizing the venture of their functions.