Three severe security vulnerabilities have been discovered in Voyager, a popular open-source PHP package used for Laravel application management. These flaws, which remain unpatched, could potentially enable remote code execution attacks against authenticated users.

Critical Vulnerabilities Identified:

1. CVE-2024-55417
– Allows malicious file uploads by bypassing MIME-type verification
– Enables remote code execution through polyglot files disguised as images/videos

2. CVE-2024-55416
– Affects /admin/compass endpoint
– Permits JavaScript injection in popup messages
– Enables malicious script execution through link clicking

3. CVE-2024-55415
– Compromises file management system
– Allows unauthorized file manipulation and access
– Potential for service disruption and data theft

Impact Assessment:
Voyager, with over 11,800 GitHub stars and millions of downloads, is widely used by:
– Web development companies
– Startups
– Freelance developers
– Small to medium-sized businesses

Security Recommendations:
– Restrict access to trusted users only
– Limit “browse_media” permissions
– Implement role-based access control
– Disable PHP file execution
– Enforce strict MIME type validation
– Monitor system logs regularly
– Consider alternative Laravel admin panels until patches are available

SonarSource researchers reported these vulnerabilities on September 11, 2024, but received no response from Voyager maintainers within the 90-day disclosure window, leading to public disclosure.