cbcvebase.

Tcman Gim vulnerabilities

24 known vulnerabilities affecting tcman/gim.

Total CVEs
24
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH5MEDIUM7

Vulnerabilities

Page 1 of 2
CVE-2025-40625P2CRITICALCVSS 9.8v11.0vv112025-05-06
CVE-2025-40625 [CRITICAL] CWE-434 CVE-2025-40625: Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker t Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE).
nvd
CVE-2025-40664P2CRITICALCVSS 9.1v11.0v112025-05-26
CVE-2025-40664 [CRITICAL] CWE-306 CVE-2025-40664: Missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to ac Missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to access the resources /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser and /frmGestionUser.aspx/DeleteUser.
nvd
CVE-2025-40620P2CRITICALCVSS 9.8v11.0vv112025-05-06
CVE-2025-40620 [CRITICAL] CWE-89 CVE-2025-40620: SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ parameter of the ‘ValidateUserAndWS’ endpoint.
nvd
CVE-2025-40623P2CRITICALCVSS 9.8v11.0vv112025-05-06
CVE-2025-40623 [CRITICAL] CWE-89 CVE-2025-40623: SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘Sender’ and “email” parameters of the ‘createNotificationAndroid’
nvd
CVE-2025-40621P2CRITICALCVSS 9.8v11.0vv112025-05-06
CVE-2025-40621 [CRITICAL] CWE-89 CVE-2025-40621: SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ parameter of the ‘ValidateUserAndGetData’ endpoint.
nvd
CVE-2025-40622P2CRITICALCVSS 9.8v11.0vv112025-05-06
CVE-2025-40622 [CRITICAL] CWE-89 CVE-2025-40622: SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘username’ parameter of the ‘GetLastDatePasswordChange’ endpoint.
nvd
CVE-2025-40624P2CRITICALCVSS 9.8v11.0vv112025-05-06
CVE-2025-40624 [CRITICAL] CWE-89 CVE-2025-40624: SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ and “email” parameters of the ‘updatePassword’ endpoint.
nvd
CVE-2025-41013P3CRITICALCVSS 9.8fixed in 2025-04-01fixed in 202503042025-12-02
CVE-2025-41013 [CRITICAL] CWE-89 CVE-2025-41013: SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attac SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'.
nvd
CVE-2025-40665P3CRITICALCVSS 9.8v11.0v112025-05-26
CVE-2025-40665 [CRITICAL] CWE-89 CVE-2025-40665: Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrie Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases through ArbolID parameter in /GIMWeb/PC/frmCorrectivosList.aspx.
nvd
CVE-2025-40666P3CRITICALCVSS 9.8v11.0v112025-05-26
CVE-2025-40666 [CRITICAL] CWE-89 CVE-2025-40666: Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrie Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases through ArbolID parameter in/GIMWeb/PC/frmPreventivosList.aspx.
nvd
CVE-2025-40670P3HIGHCVSS 8.8v11.0v112025-06-09
CVE-2025-40670 [HIGH] CWE-863 CVE-2025-40670: Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.
nvd
CVE-2022-36276P3CRITICALCVSS 9.8v8.0.1vv8.0.12023-10-04
CVE-2022-36276 [CRITICAL] CWE-89 CVE-2022-36276: TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the 'SqlWhere' parameter inside the function ' TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the 'SqlWhere' parameter inside the function 'BuscarESM'. The exploitation of this vulnerability might allow a remote attacker to directly interact with the database.
nvd
CVE-2021-40850P3CRITICALCVSS 9.8v8.0v11.02021-12-17
CVE-2021-40850 [CRITICAL] CWE-89 CVE-2021-40850: TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx.
nvd
CVE-2025-41015P3HIGHCVSS 7.5fixed in 2025-04-01fixed in 202503042025-12-02
CVE-2025-41015 [HIGH] CWE-200 CVE-2025-41015: User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unaut User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'.
nvd
CVE-2025-41014P3HIGHCVSS 7.5fixed in 2025-04-01fixed in 202503042025-12-02
CVE-2025-41014 [HIGH] CWE-200 CVE-2025-41014: User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unaut User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'.
nvd
CVE-2021-40851P3HIGHCVSS 7.5v8.0v11.02021-12-17
CVE-2021-40851 [HIGH] CWE-287 CVE-2021-40851: TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC TCMAN GIM is vulnerable to a lack of authorization in all available webservice methods listed in /PC/WebService.asmx. The exploitation of this vulnerability might allow a remote attacker to obtain information.
nvd
CVE-2021-40853P3HIGHCVSS 7.2v8.0v11.02021-12-17
CVE-2021-40853 [HIGH] CWE-862 CVE-2021-40853: TCMAN GIM does not perform an authorization check when trying to access determined resources. A remo TCMAN GIM does not perform an authorization check when trying to access determined resources. A remote attacker could exploit this vulnerability to access URL that require privileges without having them. The exploitation of this vulnerability might allow a remote attacker to obtain sensible information.
nvd
CVE-2025-40668P3MEDIUMCVSS 6.5v11.0v112025-06-09
CVE-2025-40668 [MEDIUM] CWE-863 CVE-2025-40668: Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, wit Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the P
nvd
CVE-2025-40667P3MEDIUMCVSS 6.5v11.0v112025-05-26
CVE-2025-40667 [MEDIUM] CWE-862 CVE-2025-40667: Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to acc Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnRea
nvd
CVE-2025-40669P3MEDIUMCVSS 6.5v11.0v112025-06-09
CVE-2025-40669 [MEDIUM] CWE-863 CVE-2025-40669: Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1.
nvd
Tcman Gim vulnerabilities | cvebase