CVE-2019-17050

EUVD-2019-7522
An issue was discovered in the Voyager package through 1.2.7 for Laravel. An attacker with admin privileges and Compass access can read or delete arbitrary files, such as the .env file. NOTE: a software maintainer has suggested a solution in which Compass is switched off in a production environment.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
thecontrolgroupvoyager
𝑥
≤ 1.2.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/the-control-group/voyager/issues/4322
https://github.com/the-control-group/voyager/issues/4322