Pablo Arias Rodríguez

**Name of the Vulnerable Software and Affected Versions** TCMAN GIM version 8.0.1 **Description** The issue is related to a SQL injection vulnerability via the `SqlWhere` parameter inside the `BuscarESM` function. This could allow a remote attacker to directly interact with the database. **Recommendations** For TCMAN GIM version 8.0.1, consider disabling the `BuscarESM` function or restricting access to the `SqlWhere` parameter until a patch is available. Additionally, restrict interactions with the database to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TCMAN GIM version 8.0.1 **Description** The issue concerns the `sReferencia`, `sDescripcion`, `txtCodigo`, and `txtDescripcion` parameters in the "frmGestionStock.aspx" and "frmEditServicio.aspx" files, which could allow an attacker to perform persistent XSS attacks. **Recommendations** For TCMAN GIM version 8.0.1, consider restricting or sanitizing the input for the `sReferencia`, `sDescripcion`, `txtCodigo`, and `txtDescripcion` parameters in the affected files to prevent XSS attacks. As a temporary workaround, restrict access to the frmGestionStock.aspx and frmEditServicio.aspx files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The web application does not correctly filter input parameters, allowing for SQL injections, Denial of Service (DoS), or information disclosure. It is necessary to log into the application to exploit this issue. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QSige Monitor (affected versions not specified) **Description** The QSige Monitor application lacks an access control mechanism to verify if a user has sufficient permissions to access a resource. A user must be logged into the application to exploit this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue allows an attacker to perform stored XSS attacks on certain resources. Exploiting this can lead to a Denial of Service (DoS) condition, among other actions. No information is provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QSige (affected versions not specified) **Description** The QSige login SSO lacks an access control mechanism to verify if a user has sufficient permissions to request a resource. To exploit this, a user must first log into the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QSige (affected versions not specified) **Description** The QSige login SSO lacks an access control mechanism to verify if a user has sufficient permissions to request a resource. To exploit this, a user must first log into the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QSige (affected versions not specified) **Description** The QSige statistics are affected by a remote SQL injection vulnerability. The web application does not correctly filter input parameters, allowing SQL injections, Denial of Service (DoS), or information disclosure. To exploit this issue, an attacker must first log into the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The file upload functionality is not implemented correctly, allowing the upload of any type of file. An attacker must log into the application with a valid username to exploit this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** TCMAN GIM versão 8.01 **Descrição** A vulnerabilidade permite que um invasor realize ataques XSS persistentes utilizando os parâmetros `m txtNom` e `m txtCognoms`. Isso poderia ser usado para realizar ataques baseados no navegador, incluindo o sequestro do navegador ou o roubo de dados confidenciais. **Recomendações** Para o TCMAN GIM versão 8.01, considere restringir o uso dos parâmetros `m txtNom` e `m txtCognoms` até que uma correção esteja disponível para impedir a exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.