CVE-2025-40668

Name of the Vulnerable Software and Affected Versions TCMAN's GIM version 11

Description The issue is related to an incorrect authorization vulnerability. This vulnerability allows an attacker with a low privilege level to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew, and PasswordNewRepeat in the "/PC/WebService.aspx/validateChangePasswordña" API endpoint. To exploit the vulnerability, the PasswordActual parameter must be empty.

Recommendations For TCMAN's GIM version 11, as a temporary workaround, consider restricting access to the "/PC/WebService.aspx/validateChangePasswordña" API endpoint to minimize the risk of exploitation. Avoid using the PasswordActual parameter in this endpoint until the issue is resolved. Additionally, restrict the use of the idUser, PasswordNew, and PasswordNewRepeat parameters in this context to prevent unauthorized password changes.