Waiting for a patch: The Voyager admin interface for Laravel apps is vulnerable
Security researchers warn of possible attacks on Voyager. So far, the developers have not commented on the security vulnerabilities.
(Image: Sashkin/Shutterstock.com)
Attackers can exploit several vulnerabilities in the open source PHP package Voyager for managing Laravel applications and, in the worst case, execute malicious code. Security updates are not yet available.
Voyager is an admin interface for apps created with Laravel. Developers can use it to create menus for their applications, among other things. According to the official website, Voyager has been downloaded more than 2.3 million times to date.
Videos by heise
Attacks may be imminent
Security researchers from Sonar have discovered a total of three vulnerabilities (CVE-2024-55415, CVE-2024-55416, CVE-2024-55417), for which a threat level classification is apparently still pending. Among other things, attackers can bypass the file upload check in order to execute their own code on servers. If they get an admin to click on a prepared link, malicious code can also get onto systems and compress them.
In an article, the researchers state that they have contacted the developers several times but have not yet received a response. Software developers who use Voyager are therefore vulnerable. It is currently not known whether attacks have already been launched.
Following the expiry of the 90-day responsible disclosure period, the security researchers have now published details of the security risk. In their article, they describe the background to the vulnerabilities, among other things.
The researchers recommend that the tool should not be used until security patches are released. Alternatively, admins can restrict access and prohibit the execution of PHP code. However, this is only temporary protection and does not offer complete security.
(des)
