Cyber Resilience

CVE-2024-55415

MediumPublic PoC

Published: 30 January 2025

Published
30 January 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.6378 98.4th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55415 is a medium-severity Path Traversal (CWE-22) vulnerability in Thecontrolgroup Voyager. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

DevDojo Voyager through version 1.8.0 is affected by a path traversal vulnerability (CWE-22) at the /admin/compass endpoint. The issue carries a CVSS 3.1 score of 5.7, reflecting network attack vector, low complexity, low privileges required, and required user interaction, with high impact limited to confidentiality.

An authenticated attacker with low-privileged access can supply crafted input to the affected compass controller routes, enabling traversal outside intended directories to read arbitrary files on the server. The referenced controller implementation in VoyagerCompassController.php shows the handling logic that permits this traversal without adequate path sanitization.

Public references include source code inspection of the vulnerable controller and a SonarSource analysis detailing multiple Voyager issues, though no official patch or mitigation guidance is provided in the available references. The EPSS score stands at 0.6378 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1036.008 Masquerade File Type Stealth
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents.
Why these techniques?

Path traversal (CVE-2024-55415) and arbitrary file write (CVE-2024-55417) in Voyager's admin panel and media upload enable exploitation of public-facing web application for RCE via polyglot web shells masquerading as allowed image files, facilitating privilege escalation.

CVEs Like This One

CVE-2024-55417Same product: Thecontrolgroup Voyager
CVE-2025-3740Shared CWE-22
CVE-2025-3671Shared CWE-22
CVE-2025-40738Shared CWE-22
CVE-2025-40737Shared CWE-22
CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2025-62630Shared CWE-22

Affected Assets

thecontrolgroup
voyager
≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements input validation mechanisms at the /admin/compass endpoint to block path traversal payloads and prevent unauthorized file access.

prevent

Remediates the specific path traversal flaw in VoyagerCompassController by applying patches to versions through 1.8.0.

prevent

Enforces logical access controls to restrict authenticated users from traversing directories and accessing sensitive files outside intended paths.

References