Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NTraccar
APPTraccar≤ 6.11.1
Related vulnerabilities
Traccar Server – pominięcie uwierzytelnienia przez domyślne dane logowania
Traccar: nieograniczony upload plików prowadzący do RCE
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which a...
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authent...
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file uplo...