CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5747
https://notcve.org/view.php?id=CVE-2020-5747
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante remoto autenticado conducir ataques de tipo cross-site scripting (XSS) persistente mediante la creación de una prueba diseñada. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 26%CPEs: 2EXPL: 2CVE-2018-17057 – LimeSurvey < 3.16 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-17057
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper. Se ha descubierto un problema en TCPDF en versiones anteriores a la 6.2.22. Los atacantes pueden desencadenar la deserialización de datos arbitrarios mediante el wrapper phar: . TCPDF versions 6.2.19 and below suffer from a deserialization vulnerability that can allow for remote code execution. • https://www.exploit-db.com/exploits/46634 http://packetstormsecurity.com/files/152200/TCPDF-6.2.19-Deserialization-Remote-Code-Execution.html http://packetstormsecurity.com/files/152360/LimeSurvey-Deserialization-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2019/Mar/36 https://contao.org/en/news/security-vulnerability-cve-2018-17057.html https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5 https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26ed • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13422
https://notcve.org/view.php?id=CVE-2018-13422
TCExam before 14.1.2 has XSS via an ff_ or xl_ field. TCExam en versiones anteriores a la 14.1.2 tiene Cross-Site Scripting (XSS) mediante un campo ff_ or xl_. • https://github.com/tecnickcom/tcexam/pull/223 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 0%CPEs: 102EXPL: 1CVE-2012-4601
https://notcve.org/view.php?id=CVE-2012-4601
Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to admin/code/tce_show_all_questions.php. Multiples vulnerabilidades de inyección SQL en Nicola Asuni TCExam anterior a v11.3.009 permite a usuarios remotos autenticados con nivel 5 o mayores permisos, ejecutar comandos SQL de su elección a través del parámetro (1) user_groups[] para admin/code/tce_edit_test.php o (2) subject_id para admin/code/tce_show_all_questions.php. • http://freecode.com/projects/tcexam/releases/347588 http://secunia.com/advisories/50539 http://sourceforge.net/projects/tcexam/files/CHANGELOG.TXT/view http://tcexam.git.sourceforge.net/git/gitweb.cgi?p=tcexam/tcexam%3Ba=commit%3Bh=3e1ed3c02122eae182f076daabe903b0c8837971 https://www.htbridge.com/advisory/HTB23111 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 102EXPL: 0CVE-2012-4602
https://notcve.org/view.php?id=CVE-2012-4602
Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via the (1) cid or (2) uids parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en admin/code/tce_select_users_popup.php en Nicola Asuni TCExam anterior a v11.3.009, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de parámetro (1) cid o (2) uids. • http://freecode.com/projects/tcexam/releases/347588 http://secunia.com/advisories/50539 http://sourceforge.net/projects/tcexam/files/CHANGELOG.TXT/view http://tcexam.git.sourceforge.net/git/gitweb.cgi?p=tcexam/tcexam%3Ba=commit%3Bh=3e1ed3c02122eae182f076daabe903b0c8837971 https://www.htbridge.com/advisory/HTB23111 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •