CVE-2020-5246 HIGH

CVE-2020-5246: LDAP injection vulnerability in Traccar GPS Tracking System

Vendor Traccar
Product Traccar
Weakness CWE-90 · LDAP injection
Published July 14, 2020
Last update August 4, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9.

Key dates

02Disclosure timeline

July 14, 2020 CVE published
August 4, 2024 Record updated