Three safety flaws have been disclosed within the open-source PHP package deal Voyager that may very well be exploited by an attacker to realize one-click distant code execution on affected situations.
“When an authenticated Voyager consumer clicks on a malicious hyperlink, attackers can execute arbitrary code on the server,” Sonar researcher Yaniv Nizry mentioned in a write-up revealed earlier this week.
The recognized points, which stay unpatched up to now regardless of accountable disclosure on September 11, 2024, are listed beneath –
- CVE-2024-55417 – An arbitrary file write vulnerability within the “/admin/media/add” endpoint
- CVE-2024-55416 – A mirrored cross-site scripting (XSS) vulnerability within the “/admin/compass” endpoint
- CVE-2024-55415 – An arbitrary file leak and deletion vulnerability
A malicious attacker may leverage Voyager’s media add function to add a malicious file in a way that bypasses MIME sort verification, and make use of a polyglot file that seems as a picture or video however incorporates executable PHP code to trick the server into processing it as a PHP script, thereby leading to distant code execution.
The vulnerability may be chained with CVE-2024-55416, elevating it right into a vital risk that results in code execution when a sufferer clicks on a malicious hyperlink.
“Which means that if an authenticated consumer clicks on a specifically crafted hyperlink, arbitrary JavaScript code will be executed,” Nizry defined. “Because of this, an attacker can carry out any subsequent motion within the context of the sufferer.”
CVE-2024-55415, alternatively, considerations a flaw within the file administration system that permits risk actors to wipe arbitrary information from the system, or exploit it at the side of the XSS vulnerability to extract the contents of the information.
Within the absence of a repair, customers are suggested to train warning when utilizing the venture of their functions.
