CVE-2022-26247

Vulnerability

TMS version 2.28.0 contains an insecure permissions vulnerability in the endpoint /TMS/admin/user/Update2. The component fails to verify that the authenticated user has the right to modify the target account, allowing any logged-in user to change the administrator's password and other details without providing the original password. The vulnerability is triggered via a POST request to /tms/admin/user/update2 with parameters such as username, password, name, and mail [1].

Exploitation

An attacker must have a valid user account on the TMS system and network access to the application. The attacker logs in, navigates to the user modification interface, and intercepts the POST request using a proxy like Burp Suite. By changing the username parameter to admin and setting a new password, the attacker can forward the request to update the administrator account. No verification of the original password is required [1].

Impact

Successful exploitation allows the attacker to change the administrator password and potentially other account details, granting full administrative privileges. This leads to complete compromise of the TMS system, including unauthorized access to sensitive data, modification of system configurations, and potential denial of service [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users should restrict network access to the TMS admin interface to trusted IPs, implement additional authentication checks (e.g., require original password for account changes), and monitor for any updates from the vendor. The CVE is not listed in the Known Exploited Vulnerabilities catalog [1].