Multiple vulnerabilities in TCMAN GIM

Posted date 24/11/2025

Identificador

INCIBE-2025-0659

Importance

4 - High

Affected Resources

GIM, versions prior to 20250304.

Description

INCIBE has coordinated the publication of four vulnerabilities, two high severity and two medium severity, affecting TCMAN's GIM, a maintenance management software solution. The vulnerabilities were discovered by Hugo Leal Vara.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

CVE-2025-41012: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-862
CVE-2025-41013: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
CVE-2025-41014 and CVE-2025-41015: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-200

Solution

The vulnerabilities have been fixed by the TCMAN team in version 20250401.

Detail

CVE-2025-41012: unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'.
CVE-2025-41013: SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'.
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-41014: 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'.
- CVE-2025-41015: 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'.