Multiple vulnerabilities in TCMAN GIM
Posted date 09/06/2025
Identificador
INCIBE-2025-0300
Importance
3 - Medium
Affected Resources
GIM, 11 version.
Description
INCIBE has coordinated the publication of 3 vulnerabilities of medium severity, affecting TCMAN's GIM, a maintenance management software. The vulnerabilities have been discovered by Jorge Riopedre Vega.
These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:
- CVE-2025-40668 to CVE-2025-40670: CVSS v4.0: 7.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-863
Solution
The vulnerabilities have been fixed by the TCMAN team. The manufacturer has reported that the vulnerabilities are not found in the latest version of GIM Web version 20250128.
Detail
- CVE-2025-40668: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.
- CVE-2025-40669: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1.
- CVE-2025-40670: incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.
References list