1-click RCE possible by combining vulnerabilities in Voyager PHP

Three flaws recently discovered in the Voyager open-source PHP admin panel for managing Laravel applications could result in a one-click remote code execution (RCE) on a Voyager instance.

Laravel is a flexible framework that developers use to build web apps for artificial intelligence (AI), machine learning, and serverless applications. 

The danger here: When an authenticated Voyager user running a Laravel app clicks on a malicious link, attackers can execute arbitrary code on the server. 

SonarQube Cloud researchers reported in a Jan. 27 blog post that during its continuous scans, they found an arbitrary file write vulnerability in Voyager. After further research, the SonarQube team said they discovered additional bugs and combined them to create a realistic attack scenario.

The researchers then reported their findings to the project maintainers multiple times via emails and GitHub with no reply. SonarQube said under its 90-day responsible disclosure policy, they released the information to the public so they could protect users.

“Researchers found three flaws, notified the manufacturer, and didn't get a response, so they leaked it to the public,” said Evan Dornbush, former NSA cybersecurity expert. “The manufacturer still hasn't responded, which means no patch. What's even trickier here is the manufacturer appears to be volunteer hobbyists who may not be able to prioritize this in their probably busy lives. Looks like there could be millions of vulnerable systems with no vendor-provided solutions in place.”

Balazs Greksza, threat response lead at Ontinue, explained that the CVE-2024-55417 “Arbitrary File Write” vulnerability is particularly bad as an entry point because the file upload checks are using unsafe parameters allowing polyglot files to be uploaded, files constructed in a way to pass file type validity checks for several file types, which will contain arbitrary code.

Greksza added that chaining this vulnerability together with the CVE-2024-55416 “Reflected XSS” vulnerability, it’s possible to run code in the context of a privileged user and then using the CVE-2024-55415 “Arbitrary File Leak and Deletion” vulnerability can help to leak the project details.

“Chaining these vulnerabilities together could result in an attack against Voyager that can both unveil and crush sensitive project files depending on the attacker’s will,” said Greksza.

Patrick Tiquet, vice president of security and compliance at Keeper Security, said the recently disclosed vulnerabilities highlight the risks of relying on unpatched software, especially in production environments.

Tiquet said the most concerning issue is the one-click RCE vulnerability, which allows attackers to execute arbitrary code simply by tricking an authenticated user into clicking a malicious link.

“This kind of attack is particularly dangerous because it bypasses traditional security barriers, requiring minimal user interaction,” said Tiquet. “Once exploited, attackers can gain full control over the affected server, potentially leading to data theft or further network compromise.

Organizations using Laravel-Voyager should take immediate action by limiting admin panel access, enforcing strict role-based access controls and disabling PHP execution in upload directories.”