CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6554 – Missing authorisation in TCExam
https://notcve.org/view.php?id=CVE-2023-6554
11 Jan 2024 — When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers. Cuando el acceso a la carpeta "admin" no está protegido por algunos mecanismos de autorización externos, por ejemplo, Apache Basic Auth, cualquier usuario puede descargar información protegida, como las respuestas de los exámenes. • https://cert.pl/en/posts/2024/01/CVE-2023-6554 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20116
https://notcve.org/view.php?id=CVE-2021-20116
05 Aug 2021 — A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. Se presenta una vulnerabilidad de tipo cross-site scripting reflejado ... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20115
https://notcve.org/view.php?id=CVE-2021-20115
05 Aug 2021 — A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. The paths provided in the f, d, and dir parameters in tce_filemanager.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. Se presenta una vulnerabilidad de cross-site scripting reflejada en TCExam ... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-20114
https://notcve.org/view.php?id=CVE-2021-20114
29 Jul 2021 — When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. Cuando fue instalado siguiendo la configuración predeterminada y recomendada, TCExam versiones anteriores a 14.8.1 incluyéndola, permitía a usuarios no autenticados acceder al directorio /cache/backup/, que incluía archivos confidenciales de copia de seguridad de la base de datos • https://www.tenable.com/security/research/tra-2021-32 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20113
https://notcve.org/view.php?id=CVE-2021-20113
29 Jul 2021 — An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of Se presenta una vulnerabilidad de exposición de información confidencial en TCExam versiones anteriores a 14.8.1 incluyéndola... • https://www.tenable.com/security/research/tra-2021-32 • CWE-203: Observable Discrepancy •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20112
https://notcve.org/view.php?id=CVE-2021-20112
29 Jul 2021 — A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file. Se presenta una vulnerabilidad de tipo cross-site scripting almacenada en TCExam versiones anteriores a 14.8.1 incluyéndola. Unos archivos válidos cargados por medi... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20111
https://notcve.org/view.php?id=CVE-2021-20111
29 Jul 2021 — A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file. Se presenta una vulnerabilidad de tipo cross-site scripting almacenado en TCExam versiones anteriores a 14.8.1 incluyéndola. Unos archivos válidos cargados por medio del arch... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13422
https://notcve.org/view.php?id=CVE-2018-13422
07 Jul 2018 — TCExam before 14.1.2 has XSS via an ff_ or xl_ field. TCExam en versiones anteriores a la 14.1.2 tiene Cross-Site Scripting (XSS) mediante un campo ff_ or xl_. • https://github.com/tecnickcom/tcexam/pull/223 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 102EXPL: 1CVE-2012-4601
https://notcve.org/view.php?id=CVE-2012-4601
23 Nov 2012 — Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to admin/code/tce_show_all_questions.php. Multiples vulnerabilidades de inyección SQL en Nicola Asuni TCExam anterior a v11.3.009 permite a usuarios remotos autenticados con nivel 5 o mayores permisos, ejecutar comandos SQL de su elecc... • http://freecode.com/projects/tcexam/releases/347588 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 102EXPL: 0CVE-2012-4602
https://notcve.org/view.php?id=CVE-2012-4602
23 Nov 2012 — Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via the (1) cid or (2) uids parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/code/tce_select_users_popup.php en Nicola Asuni TCExam anterior a v11.3.009, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de parámetro (1) cid o... • http://freecode.com/projects/tcexam/releases/347588 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •