TCMAN GIM Cross-Site Scripting (XSS)
GIM version v8.01 (r17331), (20200429) and 8.0.1 (r30155), (20210407).
INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0596, which has been discovered by Pablo Arias Rodríguez and Jorge Alberto Palma Reyes, researchers of the CSIRT-CV Red Team.
CVE-2021-4046 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.
The m_txtNom y m_txtCognoms parameters in TCMAN GIM allow an attacker to perform persistent XSS attacks.
This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data.
CWE-79: improper neutralization of input during web page generation (Cross-Site Scripting).
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.