Summary: Three critical security vulnerabilities have been discovered in the open-source PHP package Voyager, allowing remote code execution and potentially severe exploitation through malicious links. Despite responsible disclosure, these vulnerabilities remain unpatched, posing a significant risk to affected instances. Users are urged to take precautions while using the Voyager project until fixes are implemented.
Affected: Voyager PHP package
Keypoints :
- CVE-2024-55417: Arbitrary file write vulnerability in the “/admin/media/upload” endpoint.
- CVE-2024-55416: Reflected cross-site scripting (XSS) vulnerability in the “/admin/compass” endpoint.
- CVE-2024-55415: Arbitrary file leak and deletion vulnerability in the file management system.
- Attackers can upload malicious files masquerading as images or videos to execute PHP code.
- XSS vulnerability allows execution of arbitrary JavaScript code, leading to further exploits in the context of the victim.
Source: https://thehackernews.com/2025/01/unpatched-php-voyager-flaws-leave.html