CVE-2025-40668 Information

Description

Incorrect authorization vulnerability in TCMAN’s GIM v11. This vulnerability allows an attacker with low privilege level to change the password of other users through a POST request using the parameters idUser PasswordActual PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.

Reference

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-1