CVE-2025-40667

HIGH Year: 2025
Weakness Type
CWE-862
View all →

Vulnerability Description

Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin.

Related Vulnerabilities

CVE-2021-37535

CRITICAL
CVSS:10.0(Critical)

SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.

CWE-8622021

CVE-2022-0543

CRITICAL
CVSS:10.0(Critical)

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CWE-8622022

CVE-2024-33566

CRITICAL
CVSS:10.0(Critical)

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.

CWE-8622024

CVE-2024-52416

CRITICAL
CVSS:10.0(Critical)

Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through 2.2.

CWE-8622024

CVE-2024-6071

CRITICAL
CVSS:10.0(Critical)

PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.

CWE-8622024

CVE-2024-6500

CRITICAL
CVSS:10.0(Critical)

The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all...

CWE-8622024