CVE-2025-40667 | THREATINT

Description

Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin.

PUBLISHED Reserved 2025-04-16 | Published 2025-05-26 | Updated 2025-05-27 | Assigner INCIBE

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

affected

Credits

Carlos Aguadé finder

References

www.incibe.es/.../aviso/multiple-vulnerabilities-tcman-gim-0

cve.org (CVE-2025-40667)

nvd.nist.gov (CVE-2025-40667)

Download JSON