Traccar
Monthly
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. A proof-of-concept exists per SSVC data, though EPSS sits at 0.03% (9th percentile), indicating limited real-world exploitation activity to date. The vendor-released fix is available in version 6.13.0.
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject malicious HTML into device, geofence, and driver name fields, which is then rendered unescaped in email notification templates sent to other users. This enables phishing attacks or spoofed email content delivered via the application's notification system. The vulnerability is fixed in version 6.13.0.
XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML into KML and GPX export files by crafting device names, corrupting file structure and spoofing location data when other users open exported files. Vendor-released patch: version 6.13.0.
Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export functionality, allowing authenticated attackers to inject spreadsheet formulas that execute when a manager or administrator opens the exported file, potentially leading to command execution or data exfiltration. The vulnerability requires user interaction (opening the CSV) but affects all confidentiality, integrity, and availability once exploitation occurs. Patch available in version 6.13.0.
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes through unvalidated redirect URIs in OIDC endpoints, enabling account takeover on integrated applications. The vulnerability stems from missing whitelist validation on the redirect_uri parameter, permitting attackers to exfiltrate authorization codes to attacker-controlled servers. Public exploit code exists for this HIGH severity flaw, and no patch is currently available.
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by setting device identifiers to absolute paths, which bypass path validation during image uploads. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with device management privileges could write files outside the intended media directory, potentially compromising system integrity.
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to overwrite device image files on the server, bypassing readonly and deviceReadonly access restrictions that all other device mutation paths correctly enforce. Traccar versions prior to 6.13.0 are affected, and the root cause is a missing permissionsService.checkEdit call in the image upload route that is present everywhere else in the mutation surface. A proof-of-concept exists per SSVC data, though EPSS sits at 0.03% (9th percentile), indicating limited real-world exploitation activity to date. The vendor-released fix is available in version 6.13.0.
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject malicious HTML into device, geofence, and driver name fields, which is then rendered unescaped in email notification templates sent to other users. This enables phishing attacks or spoofed email content delivered via the application's notification system. The vulnerability is fixed in version 6.13.0.
XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML into KML and GPX export files by crafting device names, corrupting file structure and spoofing location data when other users open exported files. Vendor-released patch: version 6.13.0.
Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export functionality, allowing authenticated attackers to inject spreadsheet formulas that execute when a manager or administrator opens the exported file, potentially leading to command execution or data exfiltration. The vulnerability requires user interaction (opening the CSV) but affects all confidentiality, integrity, and availability once exploitation occurs. Patch available in version 6.13.0.
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes through unvalidated redirect URIs in OIDC endpoints, enabling account takeover on integrated applications. The vulnerability stems from missing whitelist validation on the redirect_uri parameter, permitting attackers to exfiltrate authorization codes to attacker-controlled servers. Public exploit code exists for this HIGH severity flaw, and no patch is currently available.
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by setting device identifiers to absolute paths, which bypass path validation during image uploads. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with device management privileges could write files outside the intended media directory, potentially compromising system integrity.
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]