CVE-2024-24809

CVSS V2 None CVSS V3 None

Description

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Overview

CVE ID
CVE-2024-24809

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T14:48:13.370Z

Last Modified Date
2024-06-04T17:43:07.468Z

Weakness Enumerations

CWE	URL
CWE-27	http://cwe.mitre.org/data/definitions/27.html
CWE-434	http://cwe.mitre.org/data/definitions/434.html

References

Reference URL	Reference Tags
https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5	x_refsource_CONFIRM
https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-24809
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24809

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 04:12:36				Added to TrackCVE