Security researchers have uncovered three dangerous vulnerabilities in the popular open-source PHP package Voyager that could allow attackers to execute malicious code on servers with minimal user interaction.
The flaws, discovered by Sonar security researcher Yaniv Nizry, remain unpatched despite being reported in September 2024. The vulnerabilities could be exploited when an authenticated Voyager user clicks on a specially crafted malicious link.
The three identified security issues include:
- An arbitrary file write vulnerability affecting the media upload feature
- A reflected cross-site scripting (XSS) vulnerability in the compass endpoint
- A vulnerability allowing arbitrary file leaks and deletions
According to researchers, attackers can bypass Voyager's security checks by uploading deceptive files that appear as regular media but contain hidden malicious PHP code. When processed by the server, these files could enable remote code execution.
The risk becomes even more severe when combining the file upload flaw with the XSS vulnerability. This combination allows attackers to execute arbitrary JavaScript code through the victim's browser after they click a malicious link.
Additionally, the file management system vulnerability enables malicious actors to either delete files from the system or extract sensitive file contents when used together with the XSS flaw.
With no patches currently available, organizations using Voyager in their applications are advised to be extremely cautious and implement additional security controls to protect their systems.
The discovery highlights ongoing security challenges in popular open-source packages and emphasizes the need for timely vulnerability fixes to protect users from potential attacks.