TCMAN GIM missing authorization vulnerability

Publication date:

12/14/2021

Importance:

3 - Media

Affected resources:

GIM version v8 and v11.

Description:

INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0511, which has been discovered by Víctor Fidalgo Villar, researcher in INCIBE.

CVE-2021-40853 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated, the CVSS vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Solution:

This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.

Detail:

TCMAN GIM does not perform an authorization check when trying to access determined resources. A remote attacker could exploit this vulnerability to access URL that require privileges without having them.

The exploitation of this vulnerability might allow a remote attacker to obtain sensible information.

CWE-862: missing authorization.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

References:

Ficha del producto GIM - TCMAN

Tags:

Corporate access

TCMAN GIM missing authorization vulnerability

Múltiples vulnerabilidades en router Netgear Orbi

Múltiples vulnerabilidades en productos Aspera Faspex de IBM

Múltiples vulnerabilidades en Moodle

Vulnerabilidades 0day en chipsets Exynos de Samsung

Múltiples vulnerabilidades en el core de Drupal