Three safety flaws have been disclosed within the open-source PHP bundle Voyager that could possibly be exploited by an attacker to attain one-click distant code execution on affected situations.
“When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server,” Sonar researcher Yaniv Nizry stated in a write-up printed earlier this week.
The recognized points, which stay unpatched up to now regardless of accountable disclosure on September 11, 2024, are listed beneath –
- CVE-2024-55417 – An arbitrary file write vulnerability within the “/admin/media/upload” endpoint
- CVE-2024-55416 – A mirrored cross-site scripting (XSS) vulnerability within the “/admin/compass” endpoint
- CVE-2024-55415 – An arbitrary file leak and deletion vulnerability
A malicious attacker might leverage Voyager’s media add function to add a malicious file in a way that bypasses MIME kind verification, and make use of a polyglot file that seems as a picture or video however comprises executable PHP code to trick the server into processing it as a PHP script, thereby leading to distant code execution.
The vulnerability may be chained with CVE-2024-55416, elevating it right into a vital menace that results in code execution when a sufferer clicks on a malicious hyperlink.
“This means that if an authenticated user clicks on a specially crafted link, arbitrary JavaScript code can be executed,” Nizry defined. “As a result, an attacker can perform any subsequent action in the context of the victim.”
CVE-2024-55415, alternatively, issues a flaw within the file administration system that permits menace actors to wipe arbitrary recordsdata from the system, or exploit it along side the XSS vulnerability to extract the contents of the recordsdata.
Within the absence of a repair, customers are suggested to train warning when utilizing the undertaking of their purposes.
