Three vulnerabilities found in the open-source PHP package Voyager in Laravel can be exploited to launch remote code execution attacks. Until now, the issue has not been fixed and can be exploited against authenticated Voyager users who click on a malicious link. Vulnerability researchers at SonarSource said that they tried to report the weakness to the Voyager maintainers but did not receive a response within the 90-day period provided by the company according to its vulnerability disclosure policy.
Vulnerability details
The SonarQube Cloud team discovered the first vulnerability in Voyager, which involved arbitrary file writing, during their routine scan. Looking more closely at the protection, they found additional issues that could be combined to execute remote code with one click on an accessible Voyager instance.
Here is a summary of the vulnerabilities found:
CVE-2024-55417—The Voyager media upload feature allows attackers to upload malicious files that can bypass MIME type verification. By embedding PHP code in a polyglot file that resembles an image or video, an attacker can execute remote code if the file is processed on the server.
CVE-2024-55416—The /admin/compass endpoint in Voyager does not properly filter user input, allowing attackers to inject JavaScript into the popup message. If a logged-in admin clicks on the malicious link, the script will run in their browser, potentially giving the attacker control to act on behalf of the admin, including escalating access to remote code execution.
CVE-2024-55415—A vulnerability in the file management system allows attackers to modify file paths, enabling them to access or delete files unlawfully on the server. With this exploitation, attackers can disrupt services, delete important data, or steal sensitive information.
Researchers from SonarQube Cloud reported three vulnerabilities to the Voyager maintainers via email and GitHub since September 11, 2024, but received no response. During the 90-day disclosure period, they repeatedly tried to contact the maintainers and reminded them that the public disclosure date was approaching. They also submitted a security report via GitHub on November 28, informing the maintainer that the 90-day deadline had passed, and they would soon release the technical details publicly.
Impact and recommendations:
Voyager is a ready-to-use admin template used by Laravel developers to manage their applications. Usually used by web development companies, startups, freelance developers, Laravel enthusiasts, and generally small to medium-sized businesses that use Laravel for internal tools or CMS-based applications. These users appreciate Voyager for its intuitive interface and extensive features, which streamline the development process. With built-in functionalities such as user authentication, role management, and a powerful BREAD (Browse, Read, Edit, Add, Delete) system, it allows developers to focus more on creating unique applications rather than getting bogged down in repetitive tasks.
Voyager is very popular because it has been forked 2,700 times on GitHub, received more than 11,800 stars, and recorded millions of downloads. However, its popularity is not matched by quick and effective bug handling. Considering that three vulnerabilities have been discovered by the SonarQube team that have not yet been fixed, Voyager users are advised to limit access only to trusted users, disable the “browser_media” permission to prevent illegal file uploads, and implement role-based access control (RBAC) to reduce risk. These precautions are essential to safeguard sensitive data and maintain the integrity of the application.
Next, security measures at the server level, such as disabling PHP file execution, implementing strict validation against MIME type files to prevent polyglot files, and routinely monitoring logs to detect suspicious activity. If security is a top priority, it is advisable to avoid using Voyager in a production environment until an official patch is available or consider switching to another Laravel admin template.
Source:
https://www.bleepingcomputer.com/news/security/laravel-admin-package-voyager-vulnerable-to-one-click-rce-flaw/
https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/
https://nvd.nist.gov/vuln/detail/CVE-2024-51417
https://nvd.nist.gov/vuln/detail/CVE-2024-55416
https://nvd.nist.gov/vuln/detail/CVE-2024-55415