tcman 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk sql injection、vendor risk cross-site scripting、パス処理の欠陥, and vendor risk open redirect があり、vendor surface software deployment の利用場面で vendor impact data exposure、ファイル上書き, and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-41015 | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'. | [email protected] | 6.9 | 0.26% | 2025-12-02 | 2025-12-03 |
| CVE-2025-41014 | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'. | [email protected] | 6.9 | 0.26% | 2025-12-02 | 2025-12-03 |
| CVE-2025-41013 | SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'. | [email protected] | 8.7 | 0.25% | 2025-12-02 | 2025-12-03 |
| CVE-2025-41012 | Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'. | [email protected] | 8.7 | 0.21% | 2025-12-02 | 2025-12-03 |
| CVE-2025-40670 | Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser. | [email protected] | 7.1 | 0.25% | 2025-06-09 | 2025-10-06 |
| CVE-2025-40669 | Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1. | [email protected] | 7.1 | 0.15% | 2025-06-09 | 2025-10-06 |
| CVE-2025-40668 | Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty. | [email protected] | 7.1 | 0.17% | 2025-06-09 | 2025-10-06 |
| CVE-2025-40667 | Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin. | [email protected] | 8.7 | 0.17% | 2025-05-26 | 2025-10-10 |
| CVE-2025-40666 | Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases through ArbolID parameter in/GIMWeb/PC/frmPreventivosList.aspx. | [email protected] | 8.7 | 0.32% | 2025-05-26 | 2025-10-10 |
| CVE-2025-40665 | Time-based blind SQL injection vulnerabilities in TCMAN's GIM v11. These allow an attacker to retrieve, create, update and delete databases through ArbolID parameter in /GIMWeb/PC/frmCorrectivosList.aspx. | [email protected] | 8.7 | 0.32% | 2025-05-26 | 2025-10-10 |
| CVE-2025-40664 | Missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to access the resources /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser and /frmGestionUser.aspx/DeleteUser. | [email protected] | 9.3 | 0.49% | 2025-05-26 | 2025-10-10 |
| CVE-2025-40625 | Unrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE). | [email protected] | 9.3 | 0.59% | 2025-05-06 | 2025-05-13 |
| CVE-2025-40624 | SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ and “email” parameters of the ‘updatePassword’ endpoint. | [email protected] | 9.3 | 0.36% | 2025-05-06 | 2025-05-13 |
| CVE-2025-40623 | SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘Sender’ and “email” parameters of the ‘createNotificationAndroid’ endpoint. | [email protected] | 9.3 | 0.36% | 2025-05-06 | 2025-05-13 |
| CVE-2025-40622 | SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘username’ parameter of the ‘GetLastDatePasswordChange’ endpoint. | [email protected] | 9.3 | 0.36% | 2025-05-06 | 2025-05-13 |
| CVE-2025-40621 | SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ parameter of the ‘ValidateUserAndGetData’ endpoint. | [email protected] | 9.3 | 0.36% | 2025-05-06 | 2025-05-13 |
| CVE-2025-40620 | SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ parameter of the ‘ValidateUserAndWS’ endpoint. | [email protected] | 9.3 | 0.36% | 2025-05-06 | 2025-05-13 |
| CVE-2022-36277 | The 'sReferencia', 'sDescripcion', 'txtCodigo' and 'txtDescripcion' parameters, in the frmGestionStock.aspx and frmEditServicio.aspx files in TCMAN GIM v8.0.1, could allow an attacker to perform persistent XSS attacks. | [email protected] | 6.5 | 0.33% | 2023-10-04 | 2024-11-21 |
| CVE-2022-36276 | TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the 'SqlWhere' parameter inside the function 'BuscarESM'. The exploitation of this vulnerability might allow a remote attacker to directly interact with the database. | [email protected] | 9.9 | 0.77% | 2023-10-04 | 2024-11-21 |
| CVE-2021-4046 | The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data. | [email protected] | 5.4 | 0.43% | 2022-02-11 | 2024-11-21 |