The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system, but partially control the filename.
The vulnerabilities arise from how Traccar manages device image file uploads, enabling attackers to overwrite crucial system files, thereby executing malicious code.
In a hypothetical proof-of-concept devised by Horizon3.ai, an adversary can exploit the path traversal in the Content-Type header to upload a crontab file, leading to a reverse shell.
These two path traversal flaws could allow unauthenticated attackers to execute remote code if guest registration is enabled, a default setting in Traccar's configuration.
[
Collection
]
[
|
...
]