Hi.

Our security IT department made and investigation into our tdm platform (4.8.1) and they found 2 issues.

1)  Error and messages with technical information useful for attackers

The application shows util information for the attackers through messages delivery to final users. It allows attacker know more about the platform

Image 1:web service version

Image 2:return request from the serve and it’s internal path where is located the portal

Image platform and internal paths

2) Nonexistent of validations from server

During the security test they found not all the functionality entrances  are validated into the server. It allows send of strange characters  and the response be true or the server does not clear properly the inputs. The security IT team recommends validate the client and server side to prevent unchain other vulnerabilities

Image 4 Request and original answer

Image request with logical operator “not egual to ” which one shows all the request

Imagen 6:Modify the consult can show all the content from the table

More information about the issue on:

https://cwe.mitre.org/data/definitions/20.html ,

https://cwe.mitre.org/data/definitions/209.html , 

https://www.htbridge.com/vulnerability/information-exposure-through-externally-generated-error-message.html