漏洞标题
Traccar的设备图片上传中存在未受限制的文件上传漏洞,可能导致远程代码执行。
漏洞描述信息
N/A
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
危险类型文件的不加限制上传
漏洞标题
Traccar's unrestricted file upload vulnerability in device image upload could lead to remote code execution
漏洞描述信息
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
漏洞类别
危险类型文件的不加限制上传
漏洞标题
Traccar 安全漏洞
漏洞描述信息
Traccar是美国Traccar公司的一个基于Java的可提供GPS跟踪功能的建站系统。该软件支持170多种GPS协议和1500多种型号的GPS跟踪设备。Traccar可以与任何主要的SQL数据库系统一起使用。它还提供了易于使用的REST API。 Traccar 5.1 到 5.12版本存在安全漏洞,该漏洞源于允许通过设备图像上传 API 任意文件,攻击者利用该漏洞可以在文件系统上的任何位置创建具有特定名称和攻击者控制的扩展名的新文件。
CVSS信息
N/A
漏洞类别
其他