CVE-2017-17097

CRITICAL

GPS Tracking Software 2.x - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-17097. PoCs published by Noman Riffat.

AI-analyzed exploit summary The writeup describes two vulnerabilities in GPS-SERVER.NET SAAS CMS <=3.0: a remote code injection via log file manipulation and a password reset vulnerability due to predictable passwords. The code injection requires admin interaction to execute, while the password reset can be exploited with timing synchronization.

Description

gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.

Exploits (1)

exploitdb WRITEUP

by Noman Riffat · textwebappsphp

https://www.exploit-db.com/exploits/43431

View Code ZIP pw:eip

The writeup describes two vulnerabilities in GPS-SERVER.NET SAAS CMS <=3.0: a remote code injection via log file manipulation and a password reset vulnerability due to predictable passwords. The code injection requires admin interaction to execute, while the password reset can be exploited with timing synchronization.

Classification

Writeup 90%

Attack Type

Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: GPS-SERVER.NET SAAS CMS <=3.0

No auth needed

Prerequisites: Access to password recovery form · Accurate timing synchronization for password prediction

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://gist.github.com/pak0s/ea7a80c2614d9cd43cfb8230c65c9fec

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43431/

Release Notes, Vendor Advisory x_refsource_misc

https://s1.gps-server.net/changelog.txt

Scores

CVSS v3 9.8

EPSS 0.0695

EPSS Percentile 93.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-640

Status published

Products (33)

gps-server/gps_tracking_software 2.1.1

gps-server/gps_tracking_software 2.1.2

gps-server/gps_tracking_software 2.1.3

gps-server/gps_tracking_software 2.1.4

gps-server/gps_tracking_software 2.1.5

gps-server/gps_tracking_software 2.1.6

gps-server/gps_tracking_software 2.1.7

gps-server/gps_tracking_software 2.1.8

gps-server/gps_tracking_software 2.1.9

gps-server/gps_tracking_software 2.2

... and 23 more

Published Jan 02, 2018

Tracked Since Feb 18, 2026