Analysis Summary

The open-source PHP package Voyager has been found to contain three critical security vulnerabilities that could allow attackers to achieve remote code execution (RCE) through a single malicious click.

According to the Researcher, these flaws remain unpatched despite being responsibly disclosed on September 11, 2024. The vulnerabilities include an arbitrary file write flaw (CVE-2024-55417), a reflected cross-site scripting (XSS) flaw (CVE-2024-55416), and an arbitrary file leak and deletion flaw (CVE-2024-55415). These security gaps expose authenticated users to severe risks, including server compromise and data manipulation.

CVE-2024-55417 affects Voyager’s media upload feature, allowing attackers to bypass MIME type verification and upload polyglot files—malicious PHP scripts disguised as images or videos. When processed by the server, these scripts can execute arbitrary code, leading to full server compromise. This vulnerability is particularly dangerous when combined with CVE-2024-55416, as it enables attackers to execute malicious scripts when a victim clicks on a specially crafted link, triggering unauthorized JavaScript execution within the victim’s session.

CVE-2024-55415, meanwhile, exploits flaws in the file management system to either delete arbitrary files or extract sensitive data from them. When chained with CVE-2024-55416, an attacker could execute an XSS payload to read or modify files that the victim has access to. This could lead to credential theft, unauthorized system modifications, and further exploitation of the server. Given that these vulnerabilities allow both file manipulation and code execution, they significantly increase the risk of full system compromise.

As there are currently no official patches available, users are strongly advised to limit their exposure to these risks. This includes restricting Voyager’s usage in critical applications, implementing strict access controls, and monitoring for suspicious activity. Until an update is released, organizations using Voyager should be extremely cautious to prevent potential exploitation.

Impact

• Remote Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-55417

• CVE-2024-55416

• CVE-2024-55415

Remediation

• Avoid using Voyager in production environments until an official fix is available.
• Restrict access to the Voyager admin panel to trusted IPs or internal networks.
• Enable logging and actively monitor for unusual uploads, file modifications, or unauthorized access attempts.
• If not essential, disable the /admin/media/upload endpoint.
• Implement server-side validation to strictly enforce allowed file types.
• Deploy a WAF to detect and block malicious file uploads.
• Ensure all user-supplied input is properly sanitized and encoded before rendering in the UI.
• Enforce a strong CSP to limit the execution of untrusted scripts.
• Prevent unauthorized execution of JavaScript by implementing CSRF tokens.
• Regularly back up important system files to recover in case of unauthorized deletion.
• Limit the ability to delete or modify files to authorized users only.
• Monitor the Voyager project for security updates and apply patches immediately.
• Restrict admin privileges to essential users only.