Plattform
laravel
Komponente
voyager
Behoben in
1.3.1
CVE-2020-37214 represents a directory traversal vulnerability discovered in Voyager CMS. This flaw allows unauthorized access to sensitive system files by manipulating the asset path parameter within the /admin/voyager-assets endpoint. Versions 1.3.0 and earlier are affected, and a patch is available in version 1.3.1.
The directory traversal vulnerability in Voyager CMS allows an attacker to bypass intended access controls and read arbitrary files on the server. By crafting malicious requests to the /admin/voyager-assets endpoint, an attacker can manipulate the asset path parameter to access files outside the intended asset directory. This could expose critical system configuration files, such as .env (containing database credentials, API keys, and other sensitive information) and /etc/passwd (potentially revealing user accounts). Successful exploitation could lead to complete system compromise, data breaches, and further malicious activity.
CVE-2020-37214 was publicly disclosed on February 11, 2026. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for significant data exposure make it a concerning vulnerability. No public proof-of-concept exploits are currently available, but the vulnerability's nature suggests that such exploits could be developed relatively easily. It is not listed on the CISA KEV catalog at the time of this writing.
Voyager CMS installations, particularly those running version 1.3.0 or earlier, are at risk. Shared hosting environments utilizing Voyager CMS are especially vulnerable due to limited control over server configurations and potential exposure to other tenants' exploits. Development environments with default configurations are also at increased risk.
• laravel / server:
grep -r 'voyager-assets' /var/log/apache2/access.log
grep -r '..\/' /var/log/apache2/access.logdisclosure
poc
Exploit-Status
EPSS
0.33% (56% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2020-37214 is to upgrade Voyager CMS to version 1.3.1 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the asset path parameter. Additionally, restrict access to the /admin/voyager-assets endpoint to authorized users only. Regularly review and harden server configurations to minimize the potential impact of this vulnerability.
Actualice Voyager a la versión 1.3.1 o superior para mitigar la vulnerabilidad de recorrido de directorios. Esta actualización corrige la forma en que se manejan las rutas de los activos, evitando el acceso no autorizado a archivos sensibles del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-37214 is a directory traversal vulnerability in Voyager CMS versions 1.3.0 and below, allowing attackers to read sensitive files by manipulating the asset path parameter.
Yes, if you are running Voyager CMS version 1.3.0 or earlier, you are affected by this vulnerability.
Upgrade Voyager CMS to version 1.3.1 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
Public proof-of-concept exploits are available, suggesting potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the Voyager CMS official website and security advisories for the latest information and updates regarding CVE-2020-37214.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.