CVE-2024-55416
published 2025-01-30CVE-2024-55416: DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary…
PriorityP427low3.5CVSS 3.1
AVNACLPRHUIRSUCLILAN
EXPLOIT
EPSS
24.09%
97.6th percentile
DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tcg | voyager | 0 – 1.8.0 | — |
| thecontrolgroup | voyager | <= 1.8.0 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DevDojo Voyager vulnerable to reflected Cross-site Scripting
osv·2025-01-30
CVE-2024-55416 [LOW] DevDojo Voyager vulnerable to reflected Cross-site Scripting
DevDojo Voyager vulnerable to reflected Cross-site Scripting
DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.
GHSA
DevDojo Voyager vulnerable to reflected Cross-site Scripting
ghsa·2025-01-30
CVE-2024-55416 [LOW] CWE-79 DevDojo Voyager vulnerable to reflected Cross-site Scripting
DevDojo Voyager vulnerable to reflected Cross-site Scripting
DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.
No detection rules found.
Nuclei
DevDojo Voyager <=1.8.0 - Cross-Site Scripting
nuclei·CVSS 3.5
CVE-2024-55416 [LOW] DevDojo Voyager <=1.8.0 - Cross-Site Scripting
DevDojo Voyager ')"
- "status_code == 302"
condition: and
internal: true
- raw:
- |
GET /admin/compass?del=PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPi5sb2c= HTTP/1.1
Host: {{Hostname}}
redirects: false
matchers:
- type: dsl
dsl:
- "contains(location,'/admin/compass')"
- "status_code == 302"
condition: and
internal: true
- raw:
- |
GET /admin/compass?logs=true HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(body,'Successfully deleted log file: .log')"
- "status_code == 200"
condition: and
# digest: 4a0a00473045022100eeac145fad404e0e6def2c9c13bc08f4a6f49144c62bcfee23cc5c8b9267132902205b369b9f5398af79e0a48c1c02fd8fc57821a7aeb38626cef7c235f48aeb5d07:922c64590222798bb761d5b6d8e72950
2025-01-30
Published