Traccar 漏洞列表

Traccar 版本 5.8 - 6.0 仅在配置文件中设置了 <entrykey='web.override'>./override</entry>容易受到攻击。默认情况下，版本 6.1 - 6.8.1 易受攻击，因为默认情况下启用了Web 覆盖。

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

Traccar exposes server settings at the /api/server endpoint without authentication.

Traccar是一个开源的GPS追踪系统。如果在Traccar系统配置中使用了默认设置或弱口令，那么攻击者可能会获取未经授权的访问权限，这样可能会导致数据泄露或系统受到损害。