CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7746 – Use of default credentials at Traccar fleet management solution
https://notcve.org/view.php?id=CVE-2024-7746
13 Aug 2024 — Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism. These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability. • https://asrg.io/security-advisories/cve-2024-7746 • CWE-1392: Use of Default Credentials •
CVSS: 9.6EPSS: 68%CPEs: 1EXPL: 1CVE-2024-31214 – Traccar's unrestricted file upload vulnerability in device image upload could lead to remote code execution
https://notcve.org/view.php?id=CVE-2024-31214
10 Apr 2024 — Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file... • https://packetstorm.news/files/id/181800 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 87%CPEs: 1EXPL: 4CVE-2024-24809 – Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2024-24809
10 Apr 2024 — Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Vers... • https://packetstorm.news/files/id/181800 • CWE-27: Path Traversal: 'dir/../../filename' CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50729 – An unrestricted file upload vulnerability in traccar leads to RCE
https://notcve.org/view.php?id=CVE-2023-50729
15 Jan 2024 — Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability. • https://github.com/traccar/traccar/security/advisories/GHSA-pqf7-8g85-vx2q • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21292 – Unquoted Windows binary path in Traccar
https://notcve.org/view.php?id=CVE-2021-21292
02 Feb 2021 — Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). • https://github.com/traccar/traccar/commit/cc69a9907ac9878db3750aa14ffedb28626455da • CWE-428: Unquoted Search Path or Element •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5246 – LDAP injection vulnerability in Traccar GPS Tracking System
https://notcve.org/view.php?id=CVE-2020-5246
14 Jul 2020 — Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9. • https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5748
https://notcve.org/view.php?id=CVE-2019-5748
09 Jan 2019 — In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. En la versión 4.2 de Traccar Server, protocol/SpotProtocolDecoder.java podría permitir ataques de XEE (XML External Entity). • https://github.com/traccar/traccar/commit/d7f6c53fd88635885914013649b6807ec53227bf • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 1CVE-2018-1000881
https://notcve.org/view.php?id=CVE-2018-1000881
20 Dec 2018 — Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web application request by a self-registered user. This vulnerability appears to have been fixed in 4.1 and later. Traccar Traccar Server, en versiones 4.0 y anteriores, contiene una vulnerabilidad CWE-94: control incorrecto de la generación de c... • https://appcheck-ng.com/advisory-remote-code-execution-traccar-server • CWE-94: Improper Control of Generation of Code ('Code Injection') •