CVE-2024-24809 Vulnerability Details

  /     /     /  

CVE-2024-24809 Metadata Quick Info

CVE Published: 10/04/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: GitHub_M | Vendor: traccar | Product: traccar
Status : PUBLISHED

---

CVE-2024-24809 Description

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Metrics

CVSS Version: 3.1 | Base Score: 8.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* HIGH
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-27
CWE Name: CWE-27: Path Traversal: dir/../../filename
Source: traccar

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).