Jan 30, 2025Ravie LakshmananWeb Security / Risk
The open-source PHP deal contains three security shortcomings that an attacker could exploit to execute distant code in one click on affected instances.
In a write-up published earlier this year, Sonar scholar Yaniv Nizry stated that” when an authorized Voyager user clicks on a malicious website, attackers can execute arbitrary code on the server.”
Below are the problems identified that are still unsolved despite dependable disclosure on September 11, 2024.
- CVE-2024-55417- An subjective report create risk in the” /admin/media/upload” terminal
- CVE-2024-55416- A reflected cross-site scripting ( XSS) vulnerability in the” /admin/compass” terminal
- CVE-2024-55415- An subjective report leak and deletion vulnerability
A malicious hacker could use the media download feature on Voyager to add a malicious file in a way that doesn’t violate MIME type verification and uses a to trap the server into processing it as a PHP script, leading to remote code execution.
]embedded material]
The risk could also be associated with CVE-2024-55416, making it a crucial threat that causes destructive link execution when a victim opens it.
” This means that if an authorized user clicks on a specially crafted website, random JavaScript code can become executed”, Nizry explained. As a result, an intruder can take any additional steps in the name of the victim.
CVE-2024-55415, on the other hand, concerns a weakness in the document management system that allows threat actors to remove arbitrary data from the system or use it in conjunction with the XSS vulnerability to remove the data ‘ items.
People are advised to use precaution when using the project in their applications in the presence of a repair.
Found this post exciting? Following us on and Twitter to access more unique content.