Home / Early Warning / Security Advisories / TCMAN GIM SQL improper authentication

TCMAN GIM SQL improper authentication

Publication date: 
4 - Alta
Affected resources: 

GIM version v8 and v11.


INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0509, which has been discovered by Francisco Palma, Luis Vázquez and Diego León from Zerolynx, with special mention to Jesús Alcalde, David Jiménez, José Hermoso, Sergio Gutiérrez, Juan Antonio Calles, Elina Cárdenas, Helena Jalain and Jorge Escabias.

CVE-2021-40851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated, the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.


This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.


TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx.

The exploitation of this vulnerability might allow a remote attacker to obtain information.

CWE-287: improper authentication.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración