Gim
Monthly
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'.
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'.
SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'.
Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'.
CVE-2025-40670 is an incorrect authorization vulnerability in TCMAN's GIM (Gestion Integrada de Mantenimiento) v11 that allows an authenticated but unprivileged attacker to escalate privileges by creating new users with elevated permissions through an insecure API endpoint. An attacker with valid (low-privilege) credentials can POST to /PC/frmGestionUser.aspx/updateUser to arbitrarily assign administrative or other high-privilege roles to newly created accounts, resulting in complete system compromise. This vulnerability represents a critical privilege escalation risk in maintenance management systems, potentially affecting industrial and critical infrastructure environments that rely on TCMAN for asset management.
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1.
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.
Missing authorization vulnerability in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing authentication vulnerability in TCMAN GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted file upload in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'.
User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'.
SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'.
Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'.
CVE-2025-40670 is an incorrect authorization vulnerability in TCMAN's GIM (Gestion Integrada de Mantenimiento) v11 that allows an authenticated but unprivileged attacker to escalate privileges by creating new users with elevated permissions through an insecure API endpoint. An attacker with valid (low-privilege) credentials can POST to /PC/frmGestionUser.aspx/updateUser to arbitrarily assign administrative or other high-privilege roles to newly created accounts, resulting in complete system compromise. This vulnerability represents a critical privilege escalation risk in maintenance management systems, potentially affecting industrial and critical infrastructure environments that rely on TCMAN for asset management.
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1.
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.
Missing authorization vulnerability in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing authentication vulnerability in TCMAN GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted file upload in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in TCMAN's GIM v11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.