Critical PHP Voyager Vulnerabilities Enable One-Click Server Takeover - Patch Urgently Needed

Critical Security Vulnerabilities Discovered in PHP Package Voyager

Three significant security vulnerabilities have been identified in the open-source PHP package Voyager, potentially enabling remote code execution through a single click. Security researcher Yaniv Nizry from Sonar detailed these unpatched vulnerabilities, which were initially reported on September 11, 2024.

The discovered vulnerabilities include:

1. CVE-2024-55417: A file write vulnerability in “/admin/media/upload”
2. CVE-2024-55416: A reflected XSS vulnerability in “/admin/compass”
3. CVE-2024-55415: A file leak and deletion vulnerability

The most critical exploit involves attackers bypassing MIME type verification during media upload to execute malicious PHP code disguised as image or video files. When combined with the XSS vulnerability (CVE-2024-55416), this creates a severe security risk where clicking a malicious link can trigger unauthorized code execution.

Additionally, CVE-2024-55415 allows attackers to delete system files or, when combined with the XSS vulnerability, extract file contents.

With no patches currently available, users are strongly advised to implement additional security measures when using Voyager in their applications.

Keywords: PHP security vulnerabilities, Voyager package exploit, remote code execution vulnerability, CVE-2024-55417, PHP MIME type bypass, web application security

Share This Article

Critical PHP Voyager Vulnerabilities Enable One-Click Server Takeover – Patch Urgently Needed

Related Articles

Urgent Alert: Booking.com Phishing Scam Uses “ClickFix” Trick to Deploy Dangerous Malware Against Hospitality Workers

Urgent Alert: Critical FreeType Vulnerability Actively Exploited in the Wild – What You Need to Know

Alert: Medusa Ransomware Strikes Over 300 U.S. Critical Infrastructure Organizations

Quick Links

Company

Get In Touch