Stored Cross-Site Scripting Vulnerability in TCExam by TCExam Inc.
CVE-2021-20111

5.4MEDIUM

Key Information:

Vendor: Tecnick
Status: Tcexam
Vendor: CVE Published:; 30 July 2021

What is CVE-2021-20111?

A stored cross-site scripting vulnerability has been identified in TCExam versions up to 14.8.1. The issue arises when valid files uploaded through tce_filemanager.php include filenames that begin with a period, causing them to be rendered as text/html. This allows an attacker with access to tce_filemanager.php to upload a malicious JavaScript payload, which is executed when another user accesses the file. This vulnerability poses a significant risk to user data and application integrity, emphasizing the need for proper input validation and security measures.

Affected Version(s)

TCExam 14.8.1

References

https://www.tenable.com/security/research/tra-2021-32

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 30, 2021
Vulnerability Reserved
Dec 17, 2020

Tecnick

What is CVE-2021-20111?

Affected Version(s)

References

CVSS V3.1

Timeline