← Zuruck zu CVEs
CVE-2023-27195
CRITICAL9.8
Beschreibung
Trimble TM4Web 22.2.0 allows unauthenticated attackers to access /inc/tm_ajax.msw?func=UserfromUUID&uuid= to retrieve the last registration access code and use this access code to register a valid account. via a PUT /inc/tm_ajax.msw request. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full privileges.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht11/8/2024
Zuletzt geandert11/21/2024
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-276
Referenzen
https://seclists.org/fulldisclosure/2024/Apr/16(cve@mitre.org)
https://transportation.trimble.com/products/TM4Web(cve@mitre.org)
http://seclists.org/fulldisclosure/2024/Apr/16(af854a3a-2127-422b-91ae-364da2661108)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.