Trimble TM4Web 22.2.0 Privilege Escalation / Access Code Disclosure

An access control issue in Trimble TM4Web version 22.2.0 allows unauthenticated attackers to access a specific crafted URL path to retrieve the last registration access code and use this access code to register a valid account. If the access code was used to create an Administrator account, attackers are also able to register new Administrator accounts with full rights and privileges.

access access control account administrator attackers code control disclosure escalation issue path privilege privilege escalation register registration unauthenticated url valid version