Primary

Context

DevDojo Voyager Arbitrary Code Execution Vulnerability via Bypassed File Type Verification

Vulnerability

A vulnerability in DevDojo Voyager through version 1.8.0 allows authenticated users to bypass file type verification when uploading files through the '/admin/media/upload' endpoint. This flaw can be exploited to upload web shells, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the user who uploaded the file.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a file through the '/admin/media/upload' endpoint. The upload process involves bypassing the application's MIME type verification, which can be achieved by manipulating the file's content to be recognized as an allowed type, such as an image or video. Once the file is uploaded, it can be executed as a PHP script, resulting in arbitrary code execution on the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.0

remediation

0.0

relevance

0.0

threat

6.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.0

remediation

0.0

relevance

0.0

threat

6.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DevDojo Voyager Arbitrary Code Execution Vulnerability via Bypassed File Type Verification

Vulnerability

Impact

Reproduction

Affected Products

DevDojo Voyager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating