CVE-2024-24809

Source
https://cve.org/CVERecord?id=CVE-2024-24809
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24809.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-24809
Aliases
  • GHSA-vhrw-72f6-gwp5
Published
2024-04-10T14:48:13.370Z
Modified
2026-07-09T10:21:12.484647Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
Summary
Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type
Details

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix device. under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/24xxx/CVE-2024-24809.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-27",
        "CWE-434"
    ]
}
References

Affected packages

Git / github.com/traccar/traccar

Affected ranges

Type
GIT
Repo
https://github.com/traccar/traccar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.0"
        }
    ]
}

Affected versions

v2.*
v2.0
v2.1
v2.10
v2.11
v2.12
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.8
v2.9
v3.*
v3.0
v3.1
v3.10
v3.11
v3.12
v3.13
v3.14
v3.15
v3.16
v3.17
v3.2
v3.4
v3.5
v3.6
v3.7
v3.8
v3.9
v4.*
v4.0
v4.1
v4.10
v4.11
v4.12
v4.13
v4.14
v4.15
v4.2
v4.3
v4.4
v4.5
v4.6
v4.7
v4.8
v4.9
v5.*
v5.0
v5.1
v5.10
v5.11
v5.12
v5.2
v5.3
v5.4
v5.5
v5.6
v5.7
v5.8
v5.9

Database specific

vanir_signatures_modified
"2026-07-09T10:21:12Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24809.json"
vanir_signatures
[
    {
        "id": "CVE-2024-24809-97f88190",
        "digest": {
            "line_hashes": [
                "74808720426878502994212136747045830959",
                "261953669297654708218436383518940420539",
                "66005620080790843754421542260666171314",
                "321479212436890351224233572587422893410",
                "298117560143114341514011213004102954082",
                "313991898618218427622514602455973928479",
                "285915247893142268095931853393600023248",
                "198992772485994984023518079832778261625",
                "315087012082449764599321795110064041881",
                "21375002979317948735087444390419224504",
                "127850333543905484246164641097271529676",
                "11863412352109266155814878663627143376"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901",
        "deprecated": false,
        "target": {
            "file": "src/main/java/org/traccar/api/resource/DeviceResource.java"
        }
    },
    {
        "id": "CVE-2024-24809-f46ae8c9",
        "digest": {
            "function_hash": "38772422499441037556732003494462412170",
            "length": 297.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901",
        "deprecated": false,
        "target": {
            "function": "imageExtension",
            "file": "src/main/java/org/traccar/api/resource/DeviceResource.java"
        }
    }
]