Skip to main content

Traccar CVE-2024-7746

CRITICAL
Use of Default Credentials (CWE-1392)
2024-08-13 cve@asrg.io
9.5
CVSS 4.0 · Vendor: asrg
Share

Severity by source

Vendor (asrg) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (asrg) · only source for this CVE.

CVSS VectorVendor: asrg

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Aug 13, 2024 - 16:15 cve.org
CRITICAL 9.5

DescriptionCVE.org

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse.This issue affects the privileged transactions implemented by the Traccar solution that should otherwise be protected by the authentication mechanism. These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability.

AnalysisAI

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Use of Default Credentials (CWE-1392), which allows attackers to gain access using factory-default usernames and passwords. Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Authentication Abuse. These transactions could have an impact on any sensitive aspect of the platform, including Confidentiality, Integrity and Availability. Affected products include: Traccar.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Force credential change on first use, remove default accounts, document required credential changes.

CVE-2024-31214 CRITICAL POC
9.6 Apr 10

Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi

CVE-2026-25648 HIGH POC
8.7 Feb 23

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by

CVE-2026-25649 HIGH POC
7.3 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th

CVE-2025-68930 HIGH POC
7.1 Feb 23

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack

CVE-2026-23521 MEDIUM POC
6.5 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin

CVE-2026-27644 MEDIUM
6.5 May 05

Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export funct

CVE-2020-5246 MEDIUM
6.5 Jul 14

Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi

CVE-2021-21292 MEDIUM
6.3 Feb 02

Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication

CVE-2026-27693 MEDIUM
5.4 May 05

XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML in

CVE-2026-27694 MEDIUM
5.4 May 05

Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma

CVE-2026-44314 MEDIUM
5.3 May 26

Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove

Share

CVE-2024-7746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy