CVE-2020-37214
Published: 11 February 2026
Summary
CVE-2020-37214 is a high-severity Path Traversal (CWE-22) vulnerability in Devdojo (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-37214 is a directory traversal vulnerability (CWE-22) affecting Voyager version 1.3.0, an admin panel for Laravel applications. The flaw resides in the asset path parameter within the /admin/voyager-assets endpoint, enabling attackers to manipulate paths and access sensitive system files outside the intended directory.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges. Remote attackers without authentication can exploit it to read arbitrary files, such as /etc/passwd for user enumeration or .env files containing configuration secrets like database credentials.
Mitigation involves upgrading to a patched version, as indicated by Voyager release tags v1.2.7 and v1.3.0 on GitHub. Additional resources include the official Voyager site, an Exploit-DB entry (47875) demonstrating the issue, and a Vulncheck advisory detailing the directory traversal. Security practitioners should scan for exposed Voyager instances and validate input sanitization on asset paths.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31175
Vulnerability details
Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers to access sensitive system files by manipulating the asset path parameter. Attackers can exploit the path parameter in /admin/voyager-assets to read arbitrary files like /etc/passwd and .env configuration files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal on public-facing web app enables remote unauth file read (T1190), directly supporting local system data access (T1005), credential theft from files like .env (T1552.001), and account enumeration via /etc/passwd (T1087.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the asset path parameter in the /admin/voyager-assets endpoint to block directory traversal sequences like '../' accessing sensitive files.
Remediates the specific directory traversal flaw in Voyager 1.3.0 by applying vendor patches such as those in updated releases.
Enforces access control policies to restrict file access to only intended asset directories, preventing unauthorized reads of system files like /etc/passwd.