Primary

Context

DevDojo Voyager Command Injection Vulnerability in Laravel 8

Vulnerability

A command injection vulnerability has been identified in DevDojo Voyager versions 1.4.0 to 1.8.0, when used with Laravel 8 or later. This vulnerability allows authenticated administrators to execute arbitrary operating system commands through a specific php artisan command, due to inadequate input validation.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of system commands, potentially allowing for further exploitation of the application or server.

Reproduction

To reproduce this vulnerability, an authenticated administrator must access the '/admin/compass' endpoint. From there, a php artisan command can be executed that includes the desired operating system command as a payload. This can be done by injecting the command into the command execution feature of the Voyager Compass.

Remediation

It is recommended to disable the Compass feature ('/admin/compass') if it is not needed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.2

remediation

8.3

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.2

remediation

8.3

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DevDojo Voyager Command Injection Vulnerability in Laravel 8

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DevDojo Voyager

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating