CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6554 – Missing authorisation in TCExam
https://notcve.org/view.php?id=CVE-2023-6554
11 Jan 2024 — When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers. Cuando el acceso a la carpeta "admin" no está protegido por algunos mecanismos de autorización externos, por ejemplo, Apache Basic Auth, cualquier usuario puede descargar información protegida, como las respuestas de los exámenes. • https://cert.pl/en/posts/2024/01/CVE-2023-6554 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20116
https://notcve.org/view.php?id=CVE-2021-20116
05 Aug 2021 — A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. Se presenta una vulnerabilidad de tipo cross-site scripting reflejado ... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20115
https://notcve.org/view.php?id=CVE-2021-20115
05 Aug 2021 — A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. The paths provided in the f, d, and dir parameters in tce_filemanager.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf. Se presenta una vulnerabilidad de cross-site scripting reflejada en TCExam ... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-20114
https://notcve.org/view.php?id=CVE-2021-20114
29 Jul 2021 — When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. Cuando fue instalado siguiendo la configuración predeterminada y recomendada, TCExam versiones anteriores a 14.8.1 incluyéndola, permitía a usuarios no autenticados acceder al directorio /cache/backup/, que incluía archivos confidenciales de copia de seguridad de la base de datos • https://www.tenable.com/security/research/tra-2021-32 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20113
https://notcve.org/view.php?id=CVE-2021-20113
29 Jul 2021 — An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of Se presenta una vulnerabilidad de exposición de información confidencial en TCExam versiones anteriores a 14.8.1 incluyéndola... • https://www.tenable.com/security/research/tra-2021-32 • CWE-203: Observable Discrepancy •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20112
https://notcve.org/view.php?id=CVE-2021-20112
29 Jul 2021 — A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file. Se presenta una vulnerabilidad de tipo cross-site scripting almacenada en TCExam versiones anteriores a 14.8.1 incluyéndola. Unos archivos válidos cargados por medi... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20111
https://notcve.org/view.php?id=CVE-2021-20111
29 Jul 2021 — A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file. Se presenta una vulnerabilidad de tipo cross-site scripting almacenado en TCExam versiones anteriores a 14.8.1 incluyéndola. Unos archivos válidos cargados por medio del arch... • https://www.tenable.com/security/research/tra-2021-32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5750
https://notcve.org/view.php?id=CVE-2020-5750
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante no autenticado remoto conducir ataques de tipo cross-site scripting (XSS) persistente por medio de la funcionalidad de autorregistro. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5749
https://notcve.org/view.php?id=CVE-2020-5749
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante remoto autenticado conducir ataques de tipo cross-site scripting (XSS) persistente mediante la creación de un grupo diseñado. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5751
https://notcve.org/view.php?id=CVE-2020-5751
07 May 2020 — Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. Un saneamiento de la salida insuficiente en TCExam versión 14.2.2, permite a un atacante autenticado remoto conducir ataques de tipo cross-site scripting (XSS) persistente mediante la creación de un operador diseñado. • https://www.tenable.com/security/research/tra-2020-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •