SC Media reports that open-source PHP package Voyager for Laravel app management was identified by SonarQube Cloud researchers to be impacted by three bugs that could combine to facilitate one-click remote code execution, which Patrick Tiquet, vice president of security and compliance at Keeper Security, said could allow total server takeovers for further malicious activity.
Balazs Greksz, threat response lead at Ontinue, said most concerning of the flaws is the arbitrary file write issue, tracked as CVE-2024-55417, which when chained with the reflected cross-site scripting bug, tracked as CVE-2024-55416, could allow code execution as a privileged user. Greksza said additional exploitation of the arbitrary file leak and deletion vulnerability, tracked as CVE-2024-55415, could expose project information. The exploit chain was published by SonarQube Cloud researchers after Voyager's maintainers failed to respond within 90 days of initial disclosure.
"What's even trickier here is the manufacturer appears to be volunteer hobbyists who may not be able to prioritize this in their probably busy lives," said Evan Dornbush, a former NSA cybersecurity expert. "Looks like there could be millions of vulnerable systems with no vendor-provided solutions in place."