Vulnerabilities (CVE)

Filtered by vendor Traccar Subscribe
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-50729 1 Traccar 1 Traccar 2024-11-21 N/A 8.4 HIGH
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability.
CVE-2021-21292 2 Microsoft, Traccar 2 Windows, Traccar 2024-11-21 1.9 LOW 5.5 MEDIUM
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.
CVE-2020-5246 1 Traccar 1 Traccar 2024-11-21 4.0 MEDIUM 7.7 HIGH
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9.
CVE-2019-5748 1 Traccar 1 Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.
CVE-2018-1000881 1 Traccar 1 Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web application request by a self-registered user. This vulnerability appears to have been fixed in 4.1 and later.
CVE-2024-7746 1 Traccar 1 Traccar 2024-08-22 N/A 9.8 CRITICAL
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism.  These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.