Traccar Vulnerability Allows Remote Code Execution and Other Attacks

CVE-2024-31214

What is CVE-2024-31214?

An arbitrary file upload vulnerability exists in Traccar, an open-source GPS tracking system, affecting versions 5.1 through 5.12. This flaw allows attackers to upload arbitrary files via the device image upload API with complete control over the file contents, extension, and directory of storage. While overwriting existing files is not feasible, new files can be created with attacker-defined names and extensions across the file system. Given that Traccar installations typically run with root or system privileges and feature self-registration enabled by default, intruders can exploit this vulnerability with minimal barriers. The risk can lead to various threats such as remote code execution, cross-site scripting (XSS), and denial-of-service (DoS) attacks. Version 6.0 addresses this vulnerability, and turning off self-registration can significantly mitigate potential exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2024-31214
Created by Rapid7

References