TCMAN GIM Cross-Site Scripting (XSS)

Posted date
02/08/2022
Importance
3 - Media
Affected Resources

GIM version v8.01 (r17331), (20200429) and 8.0.1 (r30155), (20210407).

Description

INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0596, which has been discovered by Pablo Arias Rodríguez and Jorge Alberto Palma Reyes, researchers of the CSIRT-CV Red Team.

CVE-2021-4046 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Solution

This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.

Detail

The m_txtNom y m_txtCognoms parameters in TCMAN GIM allow an attacker to perform persistent XSS attacks.

This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data.

CWE-79: improper neutralization of input during web page generation (Cross-Site Scripting).

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

References list

botón arriba