Voyager Directory Traversal Vulnerability Allowing Access to Sensitive Files

A directory traversal vulnerability has been identified in Voyager version 1.3.0 and prior. This vulnerability allows attackers to access sensitive system files by manipulating the asset path parameter. Exploitation of the path parameter in the '/admin/voyager-assets' endpoint can lead to the unauthorized reading of arbitrary files, such as '/etc/passwd' and '.env' configuration files.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive system files, potentially leading to further exploitation or information disclosure.

Reproduction

To reproduce this vulnerability, send a request to the '/admin/voyager-assets' endpoint with a crafted 'path' parameter that includes directory traversal sequences. The request will bypass normal path restrictions and access sensitive files like '/etc/passwd' or the Laravel environment file located in the web root directory.