Open PHP package voyager has been discovered to have three dangerous vulnerabilities that could potentially allow arbitrary code execution on the server with a single click. Security researcher Yaniv Nedri highlighted issues affecting the loading function, file processing, and a module responsible for dynamic interaction within the administrative panel. More details can be found here.
If an attacker has access to a Voyager account, they can trick a user into clicking on a malicious link that can then execute code on the server, disguising it as a harmless image or video. Additionally, attackers can hide malicious PHP code within seemingly harmless polyglog files, making detection more challenging.
The vulnerabilities have been assigned identifiers cve-2024-55417, cve-2024-55416, and cve-2024-55415. These vulnerabilities allow bypassing MIME-type checks, executing JavaScript through a malicious link, and deleting arbitrary files, posing a serious threat to server security.
While the issues were reported to the developers in mid-September 2024, an official patch has not yet been released, leaving users vulnerable. The uncertainty surrounding the timeline for the update has raised concerns among the community.
Last year saw a rise in vulnerabilities in popular open-source projects, highlighting the need for thorough source code audits to address security flaws promptly. With the growing threat of supply chain attacks, cybersecurity experts are urging developers to implement rigorous testing measures for critical projects.
Developers using Voyager are advised to exercise caution and temporarily restrict access to file download functions while thoroughly reviewing source code for any potential vulnerabilities. Increased monitoring and the use of vulnerability analysis tools are recommended to mitigate risks until a patch is released.