Traccar
CVE-2024-7746
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (asrg) · only source for this CVE.
CVSS VectorVendor: asrg
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism. These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.
AnalysisAI
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use of Default Credentials (CWE-1392), which allows attackers to gain access using factory-default usernames and passwords. Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse. These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability. Affected products include: Traccar.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Force credential change on first use, remove default accounts, document required credential changes.
Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin
Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export funct
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi
Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication
XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML in
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove
Same weakness CWE-1392 – Use of Default Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today