Description
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file.
Remediation
References
Related Vulnerabilities
Internet Information Services Other Vulnerability (CVE-2002-0073)
WordPress Plugin External Links-nofollow, noopener & new window Cross-Site Request Forgery (2.57)
WordPress Plugin HT Slider Range for Amazon affiliates Cross-Site Scripting (1.1.5)
WordPress Plugin WP Humans.txt Cross-Site Scripting (1.0.6)
WordPress Plugin Subscriber by BestWebSoft Cross-Site Scripting (1.3.4)