CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47926 – Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://notcve.org/view.php?id=CVE-2024-47926
30 Dec 2024 — Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47925 – Tecnick TCExam – Multiple CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://notcve.org/view.php?id=CVE-2024-47925
30 Dec 2024 — Tecnick TCExam – Multiple CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56519
https://notcve.org/view.php?id=CVE-2024-56519
27 Dec 2024 — An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. Se descubrió un problema en TCPDF anterior a 6.8.0. setSVGStyles no desinfecta el atributo font-family SVG. • https://github.com/tecnickcom/TCPDF/commit/c9f41cbb84880bdb4fc3e0a9d287214d1ac4d7f4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56520
https://notcve.org/view.php?id=CVE-2024-56520
27 Dec 2024 — An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed. Se descubrió un problema en tc-lib-pdf-font anterior a la versión 2.6.4, tal como se utiliza en TCPDF anterior a la versión 6.8.0 y otros productos. Las fuentes se gestionan de forma incorrecta, por ejemplo, FontBBox para fuentes Type 1 y TrueType se analiza incorrectamente. • https://github.com/tecnickcom/TCPDF/commit/a0a02efe487cc39bd5223359e916dbeafb5cd6fe •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56521
https://notcve.org/view.php?id=CVE-2024-56521
27 Dec 2024 — An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. Se descubrió un problema en TCPDF antes de la versión 6.8.0. Si se utiliza libcurl, CURLOPT_SSL_VERIFYHOST y CURLOPT_SSL_VERIFYPEER se configuran de forma no segura. • https://github.com/tecnickcom/TCPDF/commit/aab43ab0a824e956276141a28a24c7c0be20f554 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56522
https://notcve.org/view.php?id=CVE-2024-56522
27 Dec 2024 — An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes. Se descubrió un problema en TCPDF antes de 6.8.0. unserializeTCPDFtag usa != (también conocido como comparación flexible) y no usa una función de tiempo constante para comparar hashes de etiquetas TCPDF. • https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56527
https://notcve.org/view.php?id=CVE-2024-56527
27 Dec 2024 — An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message. Se descubrió un problema en TCPDF antes de la versión 6.8.0. La función Error no tiene una llamada htmlspecialchars para el mensaje de error. • https://andrea0.medium.com/analysis-of-cve-2024-56527-dbdab6962add • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6554 – Missing authorisation in TCExam
https://notcve.org/view.php?id=CVE-2023-6554
11 Jan 2024 — When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers. Cuando el acceso a la carpeta "admin" no está protegido por algunos mecanismos de autorización externos, por ejemplo, Apache Basic Auth, cualquier usuario puede descargar información protegida, como las respuestas de los exámenes. • https://cert.pl/en/posts/2024/01/CVE-2023-6554 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20116
https://notcve.org/view.php?id=CVE-2021-20116
05 Aug 2021 — A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. Se presenta una vulnerabilidad de tipo cross-site scripting reflejado ... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20115
https://notcve.org/view.php?id=CVE-2021-20115
05 Aug 2021 — A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. The paths provided in the f, d, and dir parameters in tce_filemanager.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. Se presenta una vulnerabilidad de cross-site scripting reflejada en TCExam ... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •