Description
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Valid files uploaded via tce_select_mediafile.php with a filename beggining with a period will be rendered as text/html. An attacker with access to tce_select_mediafile.php could upload a malicious javascript payload which would be triggered when another user views the file.
Remediation
References
Related Vulnerabilities
WordPress Plugin Book appointment online Cross-Site Scripting (1.38)
Oracle JRE CVE-2013-2464 Vulnerability (CVE-2013-2464)
Oracle Database Server CVE-2011-2231 Vulnerability (CVE-2011-2231)
WordPress Plugin Bookmarkify Multiple Vulnerabilities (2.9.2)
MediaWiki Exposure of Resource to Wrong Sphere Vulnerability (CVE-2017-0367)