Traccar Stored HTML Injection Vulnerability in Email Notifications

A stored HTML injection vulnerability has been identified in Traccar, an open-source GPS tracking system, specifically in versions 6.11.1 prior to 6.13.0. The issue arises in the email notification templates, which insert user-controlled names of devices, geofences, and drivers into HTML emails without proper escaping. This flaw allows an attacker with low privileges to inject malicious HTML that is then rendered in emails sent to other users with access to the affected devices, potentially leading to phishing attacks or spoofed content.

Impact

Exploitation of this vulnerability allows for phishing attacks, content spoofing, and email tracking. Injected HTML is rendered in email notifications, creating opportunities to deceive recipients into clicking links or providing personal information. The vulnerability also affects other users who share access to the same devices, amplifying the impact.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges and create a device with a name that includes malicious HTML, such as a phishing link. Share this device with a user who has email notifications enabled. Once the device triggers a notification event, the user will receive an email containing the injected HTML, which will be rendered as a clickable link or styled content, depending on the payload.

Remediation

Users are advised to update to Traccar version 6.13.0, where this vulnerability has been fixed.