Traccar CSV Export Vulnerability Allows Formula Injection and Arbitrary Command Execution

A vulnerability in Traccar's CSV export feature, present in versions 6.11.1 prior to 6.13.0, allows for CSV injection by writing position data, including user-controlled device attributes, into the CSV output without proper escaping. This oversight enables an attacker to inject spreadsheet formulas that, when the exported file is opened in spreadsheet software, can execute commands or exfiltrate data. The vulnerability has been patched in version 6.13.0.

Impact

Exploiting this vulnerability can lead to arbitrary command execution, data exfiltration, phishing attacks, cross-user exploitation, and corruption of the CSV file structure, causing data misalignment.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges and create a device with a malicious computed attribute that includes a formula injection payload. Then, export CSV data that includes the device with the injected formula. When the exported CSV is opened in a spreadsheet application, the injected formula executes.

Remediation

Users are advised to update to Traccar version 6.13.0, where this vulnerability has been patched.