Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:NTraccar
APPTraccar≥ 6.11.1
Related vulnerabilities
Traccar Server – pominięcie uwierzytelnienia przez domyślne dane logowania
Traccar: nieograniczony upload plików prowadzący do RCE
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which a...
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSoc...
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file uplo...