Traccar Stored Cross-Site Scripting Vulnerability via Unsanitized SVG File Upload

A stored cross-site scripting vulnerability has been identified in Traccar versions 6.11.1 and later. This issue allows authenticated users to execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG uploads without proper sanitization and serves them with the 'image/svg+xml' Content-Type, enabling the execution of embedded JavaScript when the image is viewed. The vulnerability arises from the '/api/devices/{id}/image' endpoint, which lacks content filtering for SVG files. As a result, any JavaScript included in the SVG can run in the browser of anyone who views the image.

Impact

Exploitation of this vulnerability allows for session hijacking, as attackers can steal session cookies from users who view the malicious SVG, leading to full account takeover. Additionally, this vulnerability could be used for privilege escalation by targeting administrators, and it allows for the execution of arbitrary JavaScript to access and exfiltrate sensitive data. The uploaded SVG is stored on the server, causing the malicious script to execute whenever any user views the device, creating a persistent threat.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to edit a device can upload a malicious SVG file containing JavaScript payloads as a device image. After the SVG is uploaded, the JavaScript executes in the context of any user who views the device, such as an administrator, allowing the attacker to steal session cookies and hijack accounts.

Remediation

It is recommended to disallow SVG uploads entirely or, if SVG support is necessary, to sanitize the SVG content before saving it. Alternatively, the Content-Disposition header can be set to serve files as attachments, preventing inline rendering, or a Content Security Policy can be added to restrict script execution.