CVE-2024-24809

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901
https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5
https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901
https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5

Configurations

No configuration.

History

21 Nov 2024, 08:59

Type	Values Removed	Values Added
References	~~() https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901 -~~	() https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901 -
References	~~() https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5 -~~	() https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5 -
Summary		(es) Traccar es un sistema de seguimiento GPS de código abierto. Las versiones anteriores a la 6.0 son vulnerables a path traversal y a la carga sin restricciones de archivos con tipos peligrosos. Dado que el sistema permite el registro de forma predeterminada, los atacantes pueden adquirir permisos de usuario normales registrando una cuenta y aprovechar esta vulnerabilidad para cargar archivos con el prefijo "dispositivo" en cualquier carpeta. Los atacantes pueden utilizar esta vulnerabilidad para phishing, ataques de Cross-Site Scripting y, potencialmente, ejecutar comandos arbitrarios en el servidor. La versión 6.0 contiene un parche para el problema.

10 Apr 2024, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-10 15:16

Updated : 2024-11-21 08:59

NVD link : CVE-2024-24809

Mitre link : CVE-2024-24809

CVE.ORG link : CVE-2024-24809

JSON object : View

Products Affected

No product.

CWE

CWE-27

Path Traversal: 'dir/../../filename'

CWE-434

Unrestricted Upload of File with Dangerous Type

8.5 /10