CVE-2024-24809
published 2024-04-10CVE-2024-24809: Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type…
PriorityP268high8.5CVSS 3.1
AVNACLPRLUINSCCNIHAL
EXPLOIT
EPSS
54.41%
98.9th percentile
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| traccar | traccar | < 6.0 | 6.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal in the uniqueId field of PUT /api/devices requests — look for sequences like '../' traversing to sensitive directories such as /opt/traccar/modern. ↗
- →Monitor POST requests to /api/devices/{id}/image with non-standard or spoofed Content-Type headers (e.g., image/srHtgGrc) as an indicator of malicious file upload attempts. ↗
- →Alert on uploaded files matching the pattern device.* appearing outside of expected image directories, especially in web-accessible paths like /opt/traccar/modern. ↗
- →On Red Hat-based Linux systems, monitor for new cron job files created by the Traccar process (typically running as root), as the Metasploit module exploits RCE by dropping a cronjob payload. ↗
- →Flag rapid sequential API calls: POST /api/users → POST /api/session → POST /api/devices → POST /api/devices/{id}/image → PUT /api/devices/{id} from the same source IP, which matches the exploit chain flow. ↗
- →Self-registration abuse: monitor POST /api/users for bulk account creation followed immediately by device creation and image upload, indicating automated exploitation. ↗
- ·The vulnerability is exploitable only when Traccar's default self-registration is enabled. Disabling registration eliminates the unauthenticated attack surface (though authenticated users can still exploit it). ↗
- ·Traccar runs as root by default, meaning successful exploitation results in full system compromise rather than limited user-level access. ↗
- ·The Metasploit RCE module (combining CVE-2024-24809 and CVE-2024-31214) is confirmed to work on Red Hat-based Linux systems; behavior on other distributions may differ. ↗
- ·CVE-2024-24809 (path traversal) is chained with CVE-2024-31214 (unrestricted file upload) to achieve RCE; the path traversal alone does not execute code. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Metasploit
Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)
metasploit·CVSS 8.5
CVE-2024-31214 [HIGH] Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)
Traccar v5 Remote Code Execution (CVE-2024-31214 and CVE-2024-24809)
Remote Code Execution in Traccar v5.1 - v5.12. Remote code execution can be obtained by combining two vulnerabilities: A path traversal vulnerability (CVE-2024-24809) and an unrestricted file upload vulnerability (CVE-2024-31214). By default, the application allows self-registration, enabling any user to register an account and exploit the issues. Moreover, the application runs by default with root privileges, potentially resulting in a complete system compromise. This module, which should work on any Red Hat-based Linux system, exploits these issues by adding a new cronjob file that executes the specified payload.
Nuclei
Traccar - Unrestricted File Upload
nuclei·CVSS 8.5
CVE-2024-24809 [HIGH] Traccar - Unrestricted File Upload
Traccar - Unrestricted File Upload
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
Template:
id: CVE-2024-24809
info:
name: Traccar - Unrestricted File Upload
author: DhiyaneshDK
severity: high
description: |
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable
Metasploit
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
metasploit·CVSS 9.3
CVE-2024-5910 [CRITICAL] Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
Obtain remote code execution in Palo Alto Expedition version 1.2.91 and below. The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data. When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.
https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5
2024-04-10
Published