Lutzenfried

**Name of the Vulnerable Software and Affected Versions** Trimble TM4Web version 22.2.0 **Description** The issue allows unauthenticated attackers to access the "/inc/tm ajax.msw?func=UserfromUUID&uuid=" endpoint to retrieve the last registration access code and use this access code to register a valid account via a PUT "/inc/tm ajax.msw" request. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full privileges. **Recommendations** For Trimble TM4Web version 22.2.0, update to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the "/inc/tm ajax.msw" endpoint and the `UserfromUUID` function to minimize the risk of exploitation. Avoid using the `uuid` parameter in the affected API endpoint until the issue is resolved.