CVE-2024-31214

Name of the Vulnerable Software and Affected Versions Traccar versions 5.1 through 5.12

Description The issue allows arbitrary files to be uploaded through the device image upload API, giving attackers full control over the file contents, directory, and extension, and partial control over the file name. This can potentially lead to remote code execution, XSS, and DOS. The default installation of Traccar, with self-registration enabled and running with root/system privileges, makes this issue more severe.

Recommendations For Traccar versions 5.1 through 5.12, update to version 6.0 to resolve the issue. As a temporary workaround, consider turning off self-registration to reduce the severity of the vulnerability. Restrict access to the device image upload API to minimize the risk of exploitation.