Open-source GPS tracking server Traccar has been impacted with a high-severity path traversal vulnerability, tracked as CVE-2024-24809, and a critical unrestricted file upload flaw, tracked as CVE-2024-31214, which could be leveraged to facilitate remote code execution without authorization, reports The Hacker News.
Both issues, which affect Traccar versions 5.1 to 5.12, stem from the platform's management of device image file uploads and could be used to enable file overwriting when the registration setting is "true" and both deviceReadonly and readOnly are "false," which are the defaults for Traccar 5, an analysis from Horizon3.ai revealed. "The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system. However an attacker only has partial control over the filename," said Horizon3.ai researcher Naveen Sunkavally, who also noted potential RCE in Windows systems via the addition of an LNK file within the "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp" folder. Traccar has already addressed both flaws with version 6 of the platform released in April.