Traccar Vulnerability Allows Remote Code Execution and Other Attacks
CVE-2024-31214

9.6CRITICAL

Key Information:

Vendor: Traccar
Status: Traccar
Vendor: CVE Published:; 10 April 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 22%

What is CVE-2024-31214?

An arbitrary file upload vulnerability exists in Traccar, an open-source GPS tracking system, affecting versions 5.1 through 5.12. This flaw allows attackers to upload arbitrary files via the device image upload API with complete control over the file contents, extension, and directory of storage. While overwriting existing files is not feasible, new files can be created with attacker-defined names and extensions across the file system. Given that Traccar installations typically run with root or system privileges and feature self-registration enabled by default, intruders can exploit this vulnerability with minimal barriers. The risk can lead to various threats such as remote code execution, cross-site scripting (XSS), and denial-of-service (DoS) attacks. Version 6.0 addresses this vulnerability, and turning off self-registration can significantly mitigate potential exploitation.

Affected Version(s)

traccar >= 5.1, < 6.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.