TCMAN GIM SQL injection vulnerability
GIM version v8 and v11.
INCIBE has coordinated the publication of a vulnerability in TCMAN GIM, with the internal code INCIBE-2021-0508, which has been discovered by Francisco Palma, Luis Vázquez and Diego León from Zerolynx, with special mention to Jesús Alcalde, David Jiménez, José Hermoso, Sergio Gutiérrez, Juan Antonio Calles, Elina Cárdenas, Helena Jalain and Jorge Escabias.
CVE-2021-40850 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated, the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734.
TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx.
The exploitation of this vulnerability might allow a remote attacker to execute SQL queries as an admin user.
CWE-89: improper neutralization of special elements used in an SQL command ('SQL injection').
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.