GIM version v8.0.1 (r25269), (20220209).
INCIBE has coordinated the publication of 2 vulnerabilities in TCMAN GIM, which has been discovered by Pablo Arias Rodríguez and Jorge Alberto Palma Reyes, researchers of the CSIRT-CV Red Team.
These vulnerabilities have been assigned the following codes:
- CVE-2022-36276. A CVSS v3.1 base score of 9,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. The vulnerability type is CWE-89: improper neutralization of special elements used in an SQL command (SQL injection).
- CVE-2022-36277. A CVSS v3.1 base score of 6,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability type is CWE-79: improper neutralization of input during web page generation (Cross-Site Scripting).
These vulnerabilities have been solved by TCMAN in GIM v8.0.1 (r7116), (20220504).
- CVE-2022-36276: TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the 'SqlWhere' parameter inside the function 'BuscarESM'. The exploitation of this vulnerability might allow a remote attacker to directly interact with the database.
- CVE-2022-36277: the 'sReferencia', 'sDescripcion', 'txtCodigo' and 'txtDescripcion' parameters, in the frmGestionStock.aspx and frmEditServicio.aspx files in TCMAN GIM v8.0.1, could allow an attacker to perform persistent XSS attacks.
If you have any information regarding this advisory, please contact INCIBE as indicated in the 'CVE assignment and publication'.