Researchers have identified three significant vulnerabilities in the open-source PHP package Voyager, which is used to manage Laravel applications. These flaws could allow attackers to perform remote code execution (RCE) attacks with just one malicious click.

The Vulnerabilities Unveiled

Despite efforts to report these issues, the vulnerabilities remain unpatched. They can be triggered when an authenticated user of Voyager inadvertently clicks on a crafted link.

Discovery by Security Experts

Security experts from SonarSource, a firm specializing in code quality and security, uncovered these vulnerabilities. Their attempts to alert Voyager's maintainers went unanswered within the company's set 90-day disclosure period.

Detailed Breakdown of the Flaws

  • CVE-2024-55417: An issue in the media upload feature that enables attackers to bypass MIME-type checks. By uploading a polyglot file disguised as an image or video containing executable PHP code, attackers can achieve remote code execution when processed by the server.
  • CVE-2024-55416: The /admin/compass endpoint fails to properly sanitize user inputs, creating an opportunity for JavaScript injection into popup messages. This allows attackers to execute scripts in an admin's browser, potentially leading to actions being performed without user consent, including RCE escalation.
  • CVE-2024-55415: This vulnerability involves improper file path management, enabling attackers to manipulate file paths to delete or access critical files on the server. Exploiting this flaw could result in disrupted services or theft of sensitive information.

SonarQube Cloud researchers made multiple attempts, starting September 11, 2024, to communicate these issues to the Voyager team through email and GitHub, but they received no response. They publicly disclosed the technical details after the 90-day period expired, emphasizing the urgency of addressing these vulnerabilities.

Voyager is predominantly used by Laravel developers, including freelancers, startups, and SMBs, for managing internal tools or CMS applications. The package has a significant user base, with over 2,700 forks, about 11,800 stars, and millions of downloads on GitHub.

The identified vulnerabilities remain unpatched. It's critical for users to:

  • Restrict Voyager access to trusted users only.
  • Use role-based access control (RBAC) to limit "browse_media" permissions.
  • Implement server-level security measures such as disabling PHP file execution and applying strict MIME type validation to prevent polyglot files.
  • Consistently monitor server logs for unusual file access or upload activities.

For environments where security is paramount, it's advisable to avoid using Voyager in production until patches are available or consider transitioning to an alternative Laravel admin panel.

The link has been copied!