[{"id":"EUVD-2025-15442","description":"PNETLab 4.2.10 does not properly sanitize user inputs in its file access mechanisms. This allows attackers to perform directory traversal by manipulating file paths in HTTP requests. Specifically, the application is vulnerable to requests that access sensitive files outside the intended directory.","datePublished":"May 16, 2025, 12:40:17 PM","dateUpdated":"May 16, 2025, 12:59:59 PM","baseScore":8.7,"baseScoreVersion":"4.0","baseScoreVector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","references":"https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-pnetlab\n","aliases":"CVE-2025-40629\n","assigner":"INCIBE","epss":0.0,"enisaIdProduct":[{"id":"465b1a10-100c-3bc7-902d-574c81e3225c","product":{"name":"PNETLab"},"product_version":"4.2.10"}],"enisaIdVendor":[{"id":"5ec19cb1-3a49-3f47-8baa-5c87d21b064d","vendor":{"name":"PNETLab"}}]},{"id":"EUVD-2025-13580","description":"SQL injection in TCMAN\u0027s GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘username’ parameter of the ‘GetLastDatePasswordChange’ endpoint.","datePublished":"May 6, 2025, 12:30:24 PM","dateUpdated":"May 13, 2025, 9:30:35 PM","baseScore":9.3,"baseScoreVersion":"4.0","baseScoreVector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":"https://nvd.nist.gov/vuln/detail/CVE-2025-40622\nhttps://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcmans-gim\n","aliases":"CVE-2025-40622\nGHSA-869c-35xf-w582\n","assigner":"INCIBE","epss":0.09,"enisaIdProduct":[{"id":"7da6c973-b34f-3fff-9cff-af2df4ef1ab2","product":{"name":"GIM"},"product_version":"v11"}],"enisaIdVendor":[{"id":"49e22a99-88c5-3ce5-9d3f-af72c0bece80","vendor":{"name":"TCMAN"}}]},{"id":"EUVD-2025-13576","description":"SQL injection in TCMAN\u0027s GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘Sender’ and “email” parameters of the ‘createNotificationAndroid’ endpoint.","datePublished":"May 6, 2025, 12:30:24 PM","dateUpdated":"May 13, 2025, 9:30:35 PM","baseScore":9.3,"baseScoreVersion":"4.0","baseScoreVector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":"https://nvd.nist.gov/vuln/detail/CVE-2025-40623\nhttps://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcmans-gim\n","aliases":"CVE-2025-40623\nGHSA-gp5v-jq85-98hg\n","assigner":"INCIBE","epss":0.09,"enisaIdProduct":[{"id":"8d45424e-7de4-302a-ba85-9f504f0b29d6","product":{"name":"GIM"},"product_version":"v11"}],"enisaIdVendor":[{"id":"4c8374c3-41e7-37f4-84d5-e2c342de35fd","vendor":{"name":"TCMAN"}}]},{"id":"EUVD-2025-13575","description":"Unrestricted file upload in TCMAN\u0027s GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE).","datePublished":"May 6, 2025, 12:30:24 PM","dateUpdated":"May 13, 2025, 9:30:35 PM","baseScore":9.3,"baseScoreVersion":"4.0","baseScoreVector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","references":"https://nvd.nist.gov/vuln/detail/CVE-2025-40625\nhttps://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcmans-gim\n","aliases":"CVE-2025-40625\nGHSA-mccx-692g-vmcf\n","assigner":"INCIBE","epss":0.23,"enisaIdProduct":[{"id":"885579e3-454e-3577-b980-1e9ad31845ac","product":{"name":"GIM"},"product_version":"v11"}],"enisaIdVendor":[{"id":"b2bc2d52-7f6c-36e4-b510-76e73ef07a92","vendor":{"name":"TCMAN"}}]}]