CVE-2017-17097

CRITICAL

GPS Tracking Software 2.x - Info Disclosure

Title source: llm

Description

gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.

Exploits (1)

exploitdb WRITEUP
by Noman Riffat · textwebappsphp
https://www.exploit-db.com/exploits/43431

References (3)

Scores

CVSS v3 9.8
EPSS 0.3689
EPSS Percentile 97.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-640
Status published
Products (33)
gps-server/gps_tracking_software 2.1.1
gps-server/gps_tracking_software 2.1.2
gps-server/gps_tracking_software 2.1.3
gps-server/gps_tracking_software 2.1.4
gps-server/gps_tracking_software 2.1.5
gps-server/gps_tracking_software 2.1.6
gps-server/gps_tracking_software 2.1.7
gps-server/gps_tracking_software 2.1.8
gps-server/gps_tracking_software 2.1.9
gps-server/gps_tracking_software 2.2
... and 23 more
Published Jan 02, 2018
Tracked Since Feb 18, 2026