Description
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_filemanager.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_filemanager.php could upload a malicious javascript payload which would be triggered when another user views the file.
Remediation
References
Related Vulnerabilities
WordPress Plugin Chained Quiz Cross-Site Scripting (0.9.9)
Apache HTTP Server Uncontrolled Resource Consumption Vulnerability (CVE-2009-1890)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-5012)
Oracle HTTP Server Other Vulnerability (CVE-2021-41617)
Oracle Application Server CVE-2006-0284 Vulnerability (CVE-2006-0284)