CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31214 – Traccar's unrestricted file upload vulnerability in device image upload could lead to remote code execution
https://notcve.org/view.php?id=CVE-2024-31214
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. • https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56 https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191 https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24809 – Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2024-24809
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue. • https://github.com/fa-rrel/CVE-2024-24809-Proof-of-concept https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901 https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5 • CWE-27: Path Traversal: 'dir/../../filename' CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50729 – An unrestricted file upload vulnerability in traccar leads to RCE
https://notcve.org/view.php?id=CVE-2023-50729
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability. • https://github.com/traccar/traccar/security/advisories/GHSA-pqf7-8g85-vx2q • CWE-434: Unrestricted Upload of File with Dangerous Type •