MidnightBSD

Advisories for tecnick

CVE-2009-4747 HIGH

PHP remote file inclusion vulnerability in public/code/cp_html2xhtmlbasic.php in All In One Control Panel (AIOCP) 1.4.001 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter, a different vector than CVE-2009-3220.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
tecnick aiocp 1.4.001
CVE-2010-2153 MEDIUM

Unrestricted file upload vulnerability in admin/code/tce_functions_tcecode_editor.php in TCExam 10.1.006 and 10.1.007 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in cache/.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
tecnick tcexam 10.1.007
tecnick tcexam 10.1.006
CVE-2011-3806 MEDIUM

TCExam 11.1.015 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by public/code/tce_page_footer.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
tecnick tcexam 11.1.015
CVE-2012-4237 MEDIUM

Multiple SQL injection vulnerabilities in TCExam before 11.3.008 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the subject_module_id parameter to (1) tce_edit_answer.php or (2) tce_edit_question.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
tecnick tcexam 10.1.011
tecnick tcexam 11.1.001
tecnick tcexam 11.1.002
tecnick tcexam 11.1.007
tecnick tcexam 11.0.008
tecnick tcexam 11.2.022
tecnick tcexam 11.0.011
tecnick tcexam 11.1.005
tecnick tcexam 11.1.025
tecnick tcexam 11.1.013
tecnick tcexam 11.2.010
tecnick tcexam 11.1.000
tecnick tcexam 11.2.013
tecnick tcexam 11.2.026
tecnick tcexam 11.2.011
tecnick tcexam 10.1.001
tecnick tcexam 11.2.014
tecnick tcexam 11.2.016
tecnick tcexam 11.1.011
tecnick tcexam 11.1.031
tecnick tcexam 11.2.021
tecnick tcexam 11.2.001
tecnick tcexam 11.0.004
tecnick tcexam *
tecnick tcexam 11.1.017
tecnick tcexam 11.2.030
tecnick tcexam 11.3.002
tecnick tcexam 11.2.004
tecnick tcexam 11.1.015
tecnick tcexam 11.0.006
tecnick tcexam 11.0.013
tecnick tcexam 11.2.012
tecnick tcexam 11.1.021
tecnick tcexam 11.1.018
tecnick tcexam 10.1.006
tecnick tcexam 11.2.025
tecnick tcexam 10.1.009
tecnick tcexam 11.0.002
tecnick tcexam 11.1.009
tecnick tcexam 10.1.012
tecnick tcexam 11.1.024
tecnick tcexam 11.2.018
tecnick tcexam 10.1.000
tecnick tcexam 11.2.017
tecnick tcexam 11.2.028
tecnick tcexam 10.1.005
tecnick tcexam 11.3.006
tecnick tcexam 11.1.023
tecnick tcexam 11.2.005
tecnick tcexam 11.2.007
tecnick tcexam 11.2.031
tecnick tcexam 11.0.001
tecnick tcexam 10.1.008
tecnick tcexam 11.1.010
tecnick tcexam 10.1.003
tecnick tcexam 11.0.012
tecnick tcexam 11.2.006
tecnick tcexam 11.2.003
tecnick tcexam 11.1.006
tecnick tcexam 11.1.016
tecnick tcexam 10.1.002
tecnick tcexam 11.2.020
tecnick tcexam 11.3.004
tecnick tcexam 11.1.026
tecnick tcexam 11.2.027
tecnick tcexam 11.2.000
tecnick tcexam 11.1.020
tecnick tcexam 11.1.012
tecnick tcexam 11.0.000
tecnick tcexam 10.1.007
tecnick tcexam 10.1.013
tecnick tcexam 11.2.008
tecnick tcexam 10.1.010
tecnick tcexam 11.0.015
tecnick tcexam 11.0.005
tecnick tcexam 11.1.027
tecnick tcexam 11.3.003
tecnick tcexam 11.1.029
tecnick tcexam 11.2.002
tecnick tcexam 11.3.001
tecnick tcexam 11.2.032
tecnick tcexam 11.0.007
tecnick tcexam 11.1.008
tecnick tcexam 11.1.003
tecnick tcexam 11.3.005
tecnick tcexam 11.1.004
tecnick tcexam 11.2.029
tecnick tcexam 11.1.028
tecnick tcexam 11.1.030
tecnick tcexam 11.1.022
tecnick tcexam 11.2.015
tecnick tcexam 11.3.000
tecnick tcexam 11.0.009
tecnick tcexam 11.1.014
tecnick tcexam 11.1.019
tecnick tcexam 10.1.004
tecnick tcexam 11.0.010
tecnick tcexam 11.0.014
tecnick tcexam 11.0.016
tecnick tcexam 11.2.023
tecnick tcexam 11.0.003
CVE-2012-4238 LOW

Cross-site scripting (XSS) vulnerability in admin/code/tce_edit_answer.php in TCExam before 11.3.008 allows remote authenticated users with level 5 or greater permissions to inject arbitrary web script or HTML via the question_subject_id parameter.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 10.1.011
tecnick tcexam 11.1.001
tecnick tcexam 11.1.002
tecnick tcexam 11.1.007
tecnick tcexam 11.0.008
tecnick tcexam 11.2.022
tecnick tcexam 11.0.011
tecnick tcexam 11.1.005
tecnick tcexam 11.1.025
tecnick tcexam 11.1.013
tecnick tcexam 11.2.010
tecnick tcexam 11.1.000
tecnick tcexam 11.2.013
tecnick tcexam 11.2.026
tecnick tcexam 11.2.011
tecnick tcexam 10.1.001
tecnick tcexam 11.2.014
tecnick tcexam 11.2.016
tecnick tcexam 11.1.011
tecnick tcexam 11.1.031
tecnick tcexam 11.2.021
tecnick tcexam 11.2.001
tecnick tcexam 11.0.004
tecnick tcexam *
tecnick tcexam 11.1.017
tecnick tcexam 11.2.030
tecnick tcexam 11.3.002
tecnick tcexam 11.2.004
tecnick tcexam 11.1.015
tecnick tcexam 11.0.006
tecnick tcexam 11.0.013
tecnick tcexam 11.2.012
tecnick tcexam 11.1.021
tecnick tcexam 11.1.018
tecnick tcexam 10.1.006
tecnick tcexam 11.2.025
tecnick tcexam 10.1.009
tecnick tcexam 11.0.002
tecnick tcexam 11.1.009
tecnick tcexam 10.1.012
tecnick tcexam 11.1.024
tecnick tcexam 11.2.018
tecnick tcexam 10.1.000
tecnick tcexam 11.2.017
tecnick tcexam 11.2.028
tecnick tcexam 10.1.005
tecnick tcexam 11.3.006
tecnick tcexam 11.1.023
tecnick tcexam 11.2.005
tecnick tcexam 11.2.007
tecnick tcexam 11.2.031
tecnick tcexam 11.0.001
tecnick tcexam 10.1.008
tecnick tcexam 11.1.010
tecnick tcexam 10.1.003
tecnick tcexam 11.0.012
tecnick tcexam 11.2.006
tecnick tcexam 11.2.003
tecnick tcexam 11.1.006
tecnick tcexam 11.1.016
tecnick tcexam 10.1.002
tecnick tcexam 11.2.020
tecnick tcexam 11.3.004
tecnick tcexam 11.1.026
tecnick tcexam 11.2.027
tecnick tcexam 11.2.000
tecnick tcexam 11.1.020
tecnick tcexam 11.1.012
tecnick tcexam 11.0.000
tecnick tcexam 10.1.007
tecnick tcexam 10.1.013
tecnick tcexam 11.2.008
tecnick tcexam 10.1.010
tecnick tcexam 11.0.015
tecnick tcexam 11.0.005
tecnick tcexam 11.1.027
tecnick tcexam 11.3.003
tecnick tcexam 11.1.029
tecnick tcexam 11.2.002
tecnick tcexam 11.3.001
tecnick tcexam 11.2.032
tecnick tcexam 11.0.007
tecnick tcexam 11.1.008
tecnick tcexam 11.1.003
tecnick tcexam 11.3.005
tecnick tcexam 11.1.004
tecnick tcexam 11.2.029
tecnick tcexam 11.1.028
tecnick tcexam 11.1.030
tecnick tcexam 11.1.022
tecnick tcexam 11.2.015
tecnick tcexam 11.3.000
tecnick tcexam 11.0.009
tecnick tcexam 11.1.014
tecnick tcexam 11.1.019
tecnick tcexam 10.1.004
tecnick tcexam 11.0.010
tecnick tcexam 11.0.014
tecnick tcexam 11.0.016
tecnick tcexam 11.2.023
tecnick tcexam 11.0.003
CVE-2012-4601 MEDIUM

Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to admin/code/tce_show_all_questions.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
tecnick tcexam 10.1.011
tecnick tcexam 11.1.001
tecnick tcexam 11.1.002
tecnick tcexam 11.1.007
tecnick tcexam 11.0.008
tecnick tcexam 11.2.022
tecnick tcexam 11.0.011
tecnick tcexam 11.1.005
tecnick tcexam 11.1.025
tecnick tcexam 11.1.013
tecnick tcexam 11.2.010
tecnick tcexam 11.1.000
tecnick tcexam 11.2.013
tecnick tcexam 11.2.026
tecnick tcexam 11.2.011
tecnick tcexam 10.1.001
tecnick tcexam 11.2.014
tecnick tcexam 11.2.016
tecnick tcexam 11.1.011
tecnick tcexam 11.1.031
tecnick tcexam 11.2.021
tecnick tcexam 11.2.001
tecnick tcexam 11.0.004
tecnick tcexam *
tecnick tcexam 11.1.017
tecnick tcexam 11.2.030
tecnick tcexam 11.3.002
tecnick tcexam 11.2.004
tecnick tcexam 11.1.015
tecnick tcexam 11.0.006
tecnick tcexam 11.0.013
tecnick tcexam 11.2.012
tecnick tcexam 11.1.021
tecnick tcexam 11.1.018
tecnick tcexam 10.1.006
tecnick tcexam 11.2.025
tecnick tcexam 10.1.009
tecnick tcexam 11.0.002
tecnick tcexam 11.1.009
tecnick tcexam 10.1.012
tecnick tcexam 11.1.024
tecnick tcexam 11.2.018
tecnick tcexam 10.1.000
tecnick tcexam 11.2.017
tecnick tcexam 11.2.028
tecnick tcexam 10.1.005
tecnick tcexam 11.3.006
tecnick tcexam 11.1.023
tecnick tcexam 11.2.005
tecnick tcexam 11.2.007
tecnick tcexam 11.2.031
tecnick tcexam 11.0.001
tecnick tcexam 10.1.008
tecnick tcexam 11.1.010
tecnick tcexam 10.1.003
tecnick tcexam 11.0.012
tecnick tcexam 11.2.006
tecnick tcexam 11.2.003
tecnick tcexam 11.1.006
tecnick tcexam 11.1.016
tecnick tcexam 10.1.002
tecnick tcexam 11.2.020
tecnick tcexam 11.3.004
tecnick tcexam 11.1.026
tecnick tcexam 11.2.027
tecnick tcexam 11.3.007
tecnick tcexam 11.2.000
tecnick tcexam 11.1.020
tecnick tcexam 11.1.012
tecnick tcexam 11.0.000
tecnick tcexam 10.1.007
tecnick tcexam 10.1.013
tecnick tcexam 11.2.008
tecnick tcexam 10.1.010
tecnick tcexam 11.0.015
tecnick tcexam 11.0.005
tecnick tcexam 11.1.027
tecnick tcexam 11.3.003
tecnick tcexam 11.1.029
tecnick tcexam 11.2.002
tecnick tcexam 11.3.001
tecnick tcexam 11.2.032
tecnick tcexam 11.0.007
tecnick tcexam 11.1.008
tecnick tcexam 11.1.003
tecnick tcexam 11.3.005
tecnick tcexam 11.1.004
tecnick tcexam 11.2.029
tecnick tcexam 11.1.028
tecnick tcexam 11.1.030
tecnick tcexam 11.1.022
tecnick tcexam 11.2.015
tecnick tcexam 11.3.000
tecnick tcexam 11.0.009
tecnick tcexam 11.1.014
tecnick tcexam 11.1.019
tecnick tcexam 10.1.004
tecnick tcexam 11.0.010
tecnick tcexam 11.0.014
tecnick tcexam 11.0.016
tecnick tcexam 11.2.023
tecnick tcexam 11.0.003
CVE-2012-4602 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via the (1) cid or (2) uids parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 10.1.011
tecnick tcexam 11.1.001
tecnick tcexam 11.1.002
tecnick tcexam 11.1.007
tecnick tcexam 11.0.008
tecnick tcexam 11.2.022
tecnick tcexam 11.0.011
tecnick tcexam 11.1.005
tecnick tcexam 11.1.025
tecnick tcexam 11.1.013
tecnick tcexam 11.2.010
tecnick tcexam 11.1.000
tecnick tcexam 11.2.013
tecnick tcexam 11.2.026
tecnick tcexam 11.2.011
tecnick tcexam 10.1.001
tecnick tcexam 11.2.014
tecnick tcexam 11.2.016
tecnick tcexam 11.1.011
tecnick tcexam 11.1.031
tecnick tcexam 11.2.021
tecnick tcexam 11.2.001
tecnick tcexam 11.0.004
tecnick tcexam *
tecnick tcexam 11.1.017
tecnick tcexam 11.2.030
tecnick tcexam 11.3.002
tecnick tcexam 11.2.004
tecnick tcexam 11.1.015
tecnick tcexam 11.0.006
tecnick tcexam 11.0.013
tecnick tcexam 11.2.012
tecnick tcexam 11.1.021
tecnick tcexam 11.1.018
tecnick tcexam 10.1.006
tecnick tcexam 11.2.025
tecnick tcexam 10.1.009
tecnick tcexam 11.0.002
tecnick tcexam 11.1.009
tecnick tcexam 10.1.012
tecnick tcexam 11.1.024
tecnick tcexam 11.2.018
tecnick tcexam 10.1.000
tecnick tcexam 11.2.017
tecnick tcexam 11.2.028
tecnick tcexam 10.1.005
tecnick tcexam 11.3.006
tecnick tcexam 11.1.023
tecnick tcexam 11.2.005
tecnick tcexam 11.2.007
tecnick tcexam 11.2.031
tecnick tcexam 11.0.001
tecnick tcexam 10.1.008
tecnick tcexam 11.1.010
tecnick tcexam 10.1.003
tecnick tcexam 11.0.012
tecnick tcexam 11.2.006
tecnick tcexam 11.2.003
tecnick tcexam 11.1.006
tecnick tcexam 11.1.016
tecnick tcexam 10.1.002
tecnick tcexam 11.2.020
tecnick tcexam 11.3.004
tecnick tcexam 11.1.026
tecnick tcexam 11.2.027
tecnick tcexam 11.3.007
tecnick tcexam 11.2.000
tecnick tcexam 11.1.020
tecnick tcexam 11.1.012
tecnick tcexam 11.0.000
tecnick tcexam 10.1.007
tecnick tcexam 10.1.013
tecnick tcexam 11.2.008
tecnick tcexam 10.1.010
tecnick tcexam 11.0.015
tecnick tcexam 11.0.005
tecnick tcexam 11.1.027
tecnick tcexam 11.3.003
tecnick tcexam 11.1.029
tecnick tcexam 11.2.002
tecnick tcexam 11.3.001
tecnick tcexam 11.2.032
tecnick tcexam 11.0.007
tecnick tcexam 11.1.008
tecnick tcexam 11.1.003
tecnick tcexam 11.3.005
tecnick tcexam 11.1.004
tecnick tcexam 11.2.029
tecnick tcexam 11.1.028
tecnick tcexam 11.1.030
tecnick tcexam 11.1.022
tecnick tcexam 11.2.015
tecnick tcexam 11.3.000
tecnick tcexam 11.0.009
tecnick tcexam 11.1.014
tecnick tcexam 11.1.019
tecnick tcexam 10.1.004
tecnick tcexam 11.0.010
tecnick tcexam 11.0.014
tecnick tcexam 11.0.016
tecnick tcexam 11.2.023
tecnick tcexam 11.0.003
CVE-2018-13422 MEDIUM

TCExam before 14.1.2 has XSS via an ff_ or xl_ field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2018-17057 HIGH

An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
limesurvey limesurvey *
tecnick tcpdf *
CVE-2020-5743 MEDIUM

Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5744 MEDIUM

Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticated attacker to read the contents of arbitrary files on disk.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5745 MEDIUM

Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5746 LOW

Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5747 LOW

Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5748 MEDIUM

Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5749 LOW

Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5750 MEDIUM

Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2020-5751 LOW

Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam 14.2.2
CVE-2021-20111 LOW

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2021-20112 LOW

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2021-20113 MEDIUM

An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. If a password reset request was made for an email address that was not registered with a user then we would be presented with an ‘unknown email’ error. If an email is given that is registered with a user then this error will not appear. A malicious actor could abuse this to enumerate the email addresses of

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-203,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2021-20114 MEDIUM

When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-425,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2021-20115 MEDIUM

A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. The paths provided in the f, d, and dir parameters in tce_filemanager.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2021-20116 MEDIUM

A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
tecnick tcexam *
CVE-2023-6554

When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
tecnick tcexam *