Home / Early Warning / Security Advisories / TCMAN GIM Cross-Site Scripting (XSS)

TCMAN GIM Cross-Site Scripting (XSS)

Publication date: 
02/08/2022
Importance: 
3 - Media
Affected resources: 

GIM version v8.01 (r17331), (20200429) and 8.0.1 (r30155), (20210407).

Description: 

INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0596, which has been discovered by Pablo Arias Rodríguez and Jorge Alberto Palma Reyes, researchers of the CSIRT-CV Red Team.

CVE-2021-4046 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L.

Solution: 

This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.

Detail: 

The m_txtNom y m_txtCognoms parameters in TCMAN GIM allow an attacker to perform persistent XSS attacks.

This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data.

CWE-79: improper neutralization of input during web page generation (Cross-Site Scripting).

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración