CVE-2020-36070 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2020-36070?

CVE-2020-36070 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to upload malicious PHP files through Voyager's media component, leading to arbitrary code execution on affected servers. It affects Voyager versions 1.4 and earlier, putting any website using this Laravel admin panel at risk of complete server compromise.

📋 TL;DR

This vulnerability allows remote attackers to upload malicious PHP files through Voyager's media component, leading to arbitrary code execution on affected servers. It affects Voyager versions 1.4 and earlier, putting any website using this Laravel admin panel at risk of complete server compromise.

💻 Affected Systems

Products:

Voyager (Laravel Admin Panel)

Versions: 1.4 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Voyager installations with media component enabled, which is default.

📦 What is this software?

Voyager by Thecontrolgroup

View all CVEs affecting Voyager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server takeover with attacker gaining shell access, installing backdoors, stealing data, and pivoting to other systems.

🟠

Likely Case

Webshell deployment leading to data exfiltration, defacement, or cryptocurrency mining malware installation.

🟢

If Mitigated

Attack blocked at web application firewall level with no file uploads reaching vulnerable component.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5 and later

Vendor Advisory: https://github.com/the-control-group/voyager/releases

Restart Required: No

Instructions:

1. Backup your Voyager installation and database. 2. Update Voyager to version 1.5 or later via composer: 'composer require tcg/voyager'. 3. Run migrations if needed: 'php artisan voyager:install'. 4. Clear cache: 'php artisan cache:clear'.

🔧 Temporary Workarounds

Disable Media Uploads

all

Temporarily disable the media upload functionality in Voyager admin panel.

Restrict PHP File Uploads

linux

Configure web server to block .php file uploads to media directories.

# For Apache: Add to .htaccess in media directory
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
# For Nginx: Add to server block
location ~* \.php$ {
    deny all;
}

🧯 If You Can't Patch

Implement strict WAF rules to block .php file uploads to media endpoints
Isolate Voyager instance in separate network segment with limited access

🔍 How to Verify

Check if Vulnerable:

Check Voyager version in composer.json or via 'php artisan voyager:version' command.

Check Version:

php artisan voyager:version

Verify Fix Applied:

Confirm version is 1.5+ and test that .php file uploads to media component are properly rejected.

📡 Detection & Monitoring

Log Indicators:

PHP file upload attempts to /admin/media endpoints
Unusual file creation in media upload directories
POST requests with .php extensions to upload endpoints

Network Indicators:

HTTP POST requests with .php files to media upload URLs
Unusual outbound connections from web server post-upload

SIEM Query:

source="web_logs" AND (uri_path="/admin/media/upload" OR uri_path="/admin/media") AND file_extension="php"

📊 Metadata

CVE ID: CVE-2020-36070

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-281

Published: April 26, 2023

Last Updated: February 3, 2025

🔗 References

https://github.com/the-control-group/voyager/ Product
https://github.com/the-control-group/voyager/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36070, you might also want to check these: