DevDojo Voyager Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in DevDojo Voyager versions through 1.8.0. The issue arises in the admin compass section, where an authenticated user can be manipulated into clicking a link that executes arbitrary JavaScript. This vulnerability is particularly concerning as it can be combined with other issues to escalate to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the victim's browser. When combined with an existing arbitrary file upload vulnerability in Voyager, this could be escalated to remote code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated user must be tricked into clicking a crafted link that targets the '/admin/compass' endpoint. This can be done by embedding a malicious script into a file name that the user is likely to open or delete, exploiting the way Voyager handles log file deletions. Once the link is clicked, the injected JavaScript will execute in the user's browser.