CVE-2020-5246
HIGHTraccar < 4.9 - LDAP Injection via User Input in LDAP Search Filter
Title source: llmDescription
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49
Patch, Third Party Advisory x_refsource_misc
https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e
Scores
CVSS v3
7.7
EPSS
0.0085
EPSS Percentile
53.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-90
CWE-74
Status
published
Products (1)
traccar/traccar
< 4.9
Published
Jul 14, 2020
Tracked Since
Feb 18, 2026