CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-20114
https://notcve.org/view.php?id=CVE-2021-20114
29 Jul 2021 — When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. Cuando fue instalado siguiendo la configuración predeterminada y recomendada, TCExam versiones anteriores a 14.8.1 incluyéndola, permitía a usuarios no autenticados acceder al directorio /cache/backup/, que incluía archivos confidenciales de copia de seguridad de la base de datos • https://www.tenable.com/security/research/tra-2021-32 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20113
https://notcve.org/view.php?id=CVE-2021-20113
29 Jul 2021 — An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of Se presenta una vulnerabilidad de exposición de información confidencial en TCExam versiones anteriores a 14.8.1 incluyéndola... • https://www.tenable.com/security/research/tra-2021-32 • CWE-203: Observable Discrepancy •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20112
https://notcve.org/view.php?id=CVE-2021-20112
29 Jul 2021 — A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file. Se presenta una vulnerabilidad de tipo cross-site scripting almacenada en TCExam versiones anteriores a 14.8.1 incluyéndola. Unos archivos válidos cargados por medi... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20111
https://notcve.org/view.php?id=CVE-2021-20111
29 Jul 2021 — A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file. Se presenta una vulnerabilidad de tipo cross-site scripting almacenado en TCExam versiones anteriores a 14.8.1 incluyéndola. Unos archivos válidos cargados por medio del arch... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5750
https://notcve.org/view.php?id=CVE-2020-5750
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante no autenticado remoto conducir ataques de tipo cross-site scripting (XSS) persistente por medio de la funcionalidad de autorregistro. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5749
https://notcve.org/view.php?id=CVE-2020-5749
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante remoto autenticado conducir ataques de tipo cross-site scripting (XSS) persistente mediante la creación de un grupo diseñado. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5751
https://notcve.org/view.php?id=CVE-2020-5751
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante autenticado remoto conducir ataques de tipo cross-site scripting (XSS) persistente mediante la creación de un operador diseñado. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5748
https://notcve.org/view.php?id=CVE-2020-5748
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante remoto no autenticado conducir ataques de tipo cross-site scripting (XSS) persistente por medio de la funcionalidad de autorregistro. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5745
https://notcve.org/view.php?id=CVE-2020-5745
07 May 2020 — Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. Una vulnerabilidad de tipo cross-site request forgery en TCExam versión 14.2.2, permite a un atacante remoto llevar a cabo acciones confidenciales de la aplicación al engañar a los usuarios legítimos para que hagan clic en un enlace diseñado. • https://www.tenable.com/security/research/tra-2020-31 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5746
https://notcve.org/view.php?id=CVE-2020-5746
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante remoto autenticado conducir ataques de tipo cross-site scripting (XSS) persistente mediante la creación de una prueba diseñada. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •