CVE-2021-4046 - OpenCVE

The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Tcman	Gim

Configuration 1 [-]

OR	cpe:2.3:a:tcman:gim:8.0.1:::::::*
	cpe:2.3:a:tcman:gim:8.01:::::::*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/tcman-gim-cross-site-scripting-xss

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2022-02-08T00:00:00

Updated: 2023-11-22T12:07:44.955Z

Reserved: 2021-12-02T00:00:00

Link: CVE-2021-4046

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-11T18:15:10.840

Modified: 2023-11-22T12:15:21.930

Link: CVE-2021-4046

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GIM", "vendor": "TCMAN", "versions": [{"status": "affected", "version": "8.01"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pablo Arias Rodr\u00edguez and Jorge Alberto Palma Reyes"}], "datePublic": "2022-02-07T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data."}], "value": "The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-22T12:07:44.955Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/tcman-gim-cross-site-scripting-xss"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734."}], "value": "This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734."}], "source": {"advisory": "INCIBE-2021-0596", "discovery": "EXTERNAL"}, "title": "TCMAN GIM Cross-Site Scripting (XSS)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2022-02-08T08:00:00.000Z", "ID": "CVE-2021-4046", "STATE": "PUBLIC", "TITLE": "TCMAN GIM Cross-Site Scripting (XSS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GIM", "version": {"version_data": [{"version_affected": "=", "version_name": "8.01", "version_value": "8.01"}]}}]}, "vendor_name": "TCMAN"}]}}, "credit": [{"lang": "eng", "value": "Pablo Arias Rodr\u00edguez and Jorge Alberto Palma Reyes"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-cross-site-scripting-xss", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/tcman-gim-cross-site-scripting-xss"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved by TCMAN in GIM v8.0.1 Release 31734."}], "source": {"advisory": "INCIBE-2021-0596", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2021-4046", "datePublished": "2022-02-08T00:00:00", "dateReserved": "2021-12-02T00:00:00", "dateUpdated": "2023-11-22T12:07:44.955Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tcman:gim:8.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "11CE9810-63E8-47FB-80D7-E5D17613C8DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:tcman:gim:8.01:*:*:*:*:*:*:*", "matchCriteriaId": "D776738A-6A40-41C4-A7BC-4C22BE7AE30B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data."}, {"lang": "es", "value": "Los par\u00e1metros m_txtNom y m_txtCognoms en TCMAN GIM versi\u00f3n v8.01, permiten a un atacante llevar a cabo ataques de tipo XSS persistentes. Esta vulnerabilidad podr\u00eda ser usada para llevar a cabo una serie de ataques basados en el navegador, incluyendo el secuestro del navegador o el robo de datos confidenciales"}], "id": "CVE-2021-4046", "lastModified": "2023-11-22T12:15:21.930", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2022-02-11T18:15:10.840", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/tcman-gim-cross-site-scripting-xss"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}