Stored Cross-Site Scripting Vulnerability in TCExam by E-licker
CVE-2021-20112

5.4MEDIUM

Key Information:

Vendor: Tecnick
Status: Tcexam
Vendor: CVE Published:; 30 July 2021

What is CVE-2021-20112?

A stored cross-site scripting vulnerability exists in TCExam versions up to 14.8.1. This vulnerability allows valid files uploaded through tce_select_mediafile.php, specifically those whose filenames start with a period, to be treated as text/html. Consequently, an attacker gaining access to this file upload functionality could deliver a malicious JavaScript payload. When another user accesses the affected file, the payload executes, potentially compromising user data and application integrity.

Affected Version(s)

TCExam 14.8.1

References

https://www.tenable.com/security/research/tra-2021-32

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 30, 2021
Vulnerability Reserved
Dec 17, 2020

Tecnick

What is CVE-2021-20112?

Affected Version(s)

References

CVSS V3.1

Timeline