TCMAN GIM Missing Authorization Vulnerability Allowing Unrestricted Access to Application Functionality

A missing authorization vulnerability has been identified in TCMAN's GIM version 11. This vulnerability allows authenticated attackers to access any application functionality, even those not available through the user interface. Exploitation requires modifying the HTTP response code from '302 Found' to '200 OK', along with the hidden fields hdnReadOnly and hdnUserLogin.

Impact

Exploitation of this vulnerability could lead to unauthorized access to application features and functionalities, potentially allowing for further exploitation of the application or its data.

Reproduction

To reproduce this vulnerability, an authenticated user must intercept the HTTP response for a request that is redirected with a '302 Found' status. This can be done using a web proxy or similar tool. Once the response is intercepted, it should be modified to change the status to '200 OK' and to include the appropriate values for the hidden fields hdnReadOnly and hdnUserLogin. After making these changes, the modified response can be sent back to the application, granting access to the unauthorized functionality.

Remediation

Users are advised to update to the TCMAN GIM version released on November 12, 2024, which addresses this vulnerability.