CVE-2007-2431

Name of the Vulnerable Software and Affected Versions TCExam versions 4.0.011 and earlier

Description A dynamic variable evaluation issue allows remote attackers to conduct cross-site scripting (XSS) and possibly other attacks by modifying critical variables such as $ SERVER. This can be achieved by injecting web script via the SERVER[SCRIPT NAME] parameter.

Recommendations For TCExam versions 4.0.011 and earlier, update to a version later than 4.0.011 to resolve the issue. As a temporary workaround, consider restricting access to the shared/config/tce config.php file to minimize the risk of exploitation. Avoid using the SERVER[SCRIPT NAME] parameter in sensitive operations until the issue is resolved.