Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Multiple Vulnerabilities in TCExam

Critical

Synopsis

A researcher at Tenable discovered multiple vulnerabilities in TCExam 14.8.1.

CVE-2021-20111 - Stored Cross Site Scripting Vulnerability in tce_filemanager.php

CVSSv3 Base Score: 4.6
CVSSv3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE: 79

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file (either via tce_filemanager.php, other pages which allow the viewing of files, or via direct link).

CVE-2021-20112 - Stored Cross Site Scripting Vulnerability in tce_select_mediafile.php

CVSSv3 Base Score: 4.6
CVSSv3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE: 79

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file (either via tce_select_mediafile.php, other pages which allow the viewing of files, or via direct link).

CVE-2021-20113 - Unauthenticated User Enumeration

CVSSv3 Base Score: 5.3
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-203
An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of registered users.

CVE-2021-20114 - Unauthenticated Access to Sensitive Objects via /cache/backup/

CVSSv3 Base Score: 9.1
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: 200
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files.

Among other things, these backup files contain usernames, password hashes and other user information that was supplied on signup.