CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24809 – Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2024-24809
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue. • https://github.com/fa-rrel/CVE-2024-24809-Proof-of-concept https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901 https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5 • CWE-27: Path Traversal: 'dir/../../filename' CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50729 – An unrestricted file upload vulnerability in traccar leads to RCE
https://notcve.org/view.php?id=CVE-2023-50729
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability. • https://github.com/traccar/traccar/security/advisories/GHSA-pqf7-8g85-vx2q • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-21292 – Unquoted Windows binary path in Traccar
https://notcve.org/view.php?id=CVE-2021-21292
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). • https://github.com/traccar/traccar/commit/cc69a9907ac9878db3750aa14ffedb28626455da https://github.com/traccar/traccar/security/advisories/GHSA-j75r-7qm5-62q5 https://www.traccar.org • CWE-428: Unquoted Search Path or Element •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5246 – LDAP injection vulnerability in Traccar GPS Tracking System
https://notcve.org/view.php?id=CVE-2020-5246
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9. • https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e https://github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •