CVE-2017-17098

CRITICAL

GPS Tracking Software <3.0 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-17098. PoCs published by Noman Riffat.

AI-analyzed exploit summary The writeup describes two vulnerabilities in GPS-SERVER.NET SAAS CMS <=3.0: a remote code injection via log file manipulation and a password reset vulnerability due to predictable passwords. The code injection requires admin interaction to execute, while the password reset can be exploited with timing synchronization.

Description

The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php system($_GET[cmd]); ?> in a login request.

Exploits (1)

exploitdb WRITEUP
by Noman Riffat · textwebappsphp
https://www.exploit-db.com/exploits/43431

The writeup describes two vulnerabilities in GPS-SERVER.NET SAAS CMS <=3.0: a remote code injection via log file manipulation and a password reset vulnerability due to predictable passwords. The code injection requires admin interaction to execute, while the password reset can be exploited with timing synchronization.

Classification
Writeup 90%
Attack Type
Rce | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: GPS-SERVER.NET SAAS CMS <=3.0
No auth needed
Prerequisites: Access to password recovery form · Accurate timing synchronization for password prediction
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://gist.github.com/pak0s/ea7a80c2614d9cd43cfb8230c65c9fec
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43431/
Release Notes, Vendor Advisory x_refsource_misc
https://s1.gps-server.net/changelog.txt

Scores

CVSS v3 9.8
EPSS 0.0664
EPSS Percentile 93.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
gps-server/gps_tracking_software < 3.0
Published Jan 02, 2018
Tracked Since Feb 18, 2026