Multiple vulnerabilities in TCMAN GIM
Posted date 26/05/2025
Identificador
INCIBE-2025-0270
Importance
5 - Critical
Affected Resources
GIM, 11 version.
Description
INCIBE has coordinated the publication of 4 vulnerabilities: one of critical severity and 3 of high severity, affecting TCMAN GIM, a software tool that helps in the management of maintenance services and management of an organisation's physical assets. The vulnerabilities have been discovered by Carlos Aguadé.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability type CWE.
- CVE-2025-40664: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-306
- CVE-2025-40665 y CVE-2025-40666: 8.7 | CVSS:4.0/ AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-40667: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N | CWE-862
Solution
The vulnerabilities have been fixed by the TCMAN team in the 20241112 release.
Detail
- CVE-2025-40664: missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to access the resources /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser and /frmGestionUser.aspx/DeleteUser.
- Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40665: ArbolID parameter in /GIMWeb/PC/frmCorrectivosList.aspx.
- CVE-2025-40666: ArbolID parameter in/GIMWeb/PC/frmPreventivosList.aspx.
- CVE-2025-40667: missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin.
References list
