Clément Cruchet

**Name of the Vulnerable Software and Affected Versions** Trimble TM4Web version 22.2.0 **Description** The issue allows unauthenticated attackers to access the "/inc/tm ajax.msw?func=UserfromUUID&uuid=" endpoint to retrieve the last registration access code and use this access code to register a valid account via a PUT "/inc/tm ajax.msw" request. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full privileges. **Recommendations** For Trimble TM4Web version 22.2.0, update to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the "/inc/tm ajax.msw" endpoint and the `UserfromUUID` function to minimize the risk of exploitation. Avoid using the `uuid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** One Identity Password Manager version 5.8 **Description** An issue was discovered in One Identity Password Manager where an attacker could enumerate valid answers for a user. This is possible because the HTTP response content returns 'WRONG ID' only when the answer is incorrect, allowing an attacker to detect a valid answer and reuse it later for a password reset on a chosen password. **Recommendations** For One Identity Password Manager version 5.8, consider restricting access to the password reset functionality until a patch is available. As a temporary workaround, modify the HTTP response content to not disclose whether the answer is correct or not, preventing attackers from enumerating valid answers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ultimate Member plugin version 2.39 **Description** An issue in the Ultimate Member plugin for WordPress allows unauthorized modification of user profiles and cover pictures. Once connected, an attacker can modify the profile and cover picture of any user, including those of privileged users. To exploit this, an attacker would need to intercept an upload-picture request and modify the `user id` parameter. **Recommendations** For Ultimate Member plugin version 2.39, consider disabling the profile and cover picture modification functionality until a patch is available. Restrict access to the upload-picture request to minimize the risk of exploitation. Avoid using the `user id` parameter in the affected request until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ultimate Member plugin version 2.39 for WordPress **Description** An issue was discovered in the password reset functionality, allowing an attacker to reset the password of another user without proper verification. This is possible because the `user id` parameter is not properly correlated with the reset password key sent by email. An attacker can intercept the password modification request and modify the `user id` to target any user, including admins, potentially leading to account compromise and privilege escalation. **Recommendations** For Ultimate Member plugin version 2.39, consider disabling the password reset functionality until a patch is available to prevent exploitation. Restrict access to the password modification request to minimize the risk of interception and modification of the `user id` parameter.