WEB APPLICATION VULNERABILITIES Standard & Premium

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20111)

Description

A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file.

Remediation

References

Related Vulnerabilities

Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-5045)

Serendipity Improper Access Control Vulnerability (CVE-2016-10082)

WordPress Plugin Relevanssi-A Better Search Cross-Site Scripting (3.3.7.1)

Oracle Database Server CVE-2014-4297 Vulnerability (CVE-2014-4297)

WordPress Improper Input Validation Vulnerability (CVE-2017-1000600)

Severity

Medium

Classification

CVE-2021-20111 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities