CVE-2012-4601

Name of the Vulnerable Software and Affected Versions TCExam versions prior to 11.3.009

Description The issue allows remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands. This can be achieved via the user groups[] parameter to "admin/code/tce edit test.php" or the subject id parameter to "admin/code/tce show all questions.php".

Recommendations For versions prior to 11.3.009, update to version 11.3.009 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/code/tce edit test.php" and "admin/code/tce show all questions.php" endpoints for users with level 5 or greater permissions until the update is applied. Avoid using the user groups[] and subject id parameters in the affected API endpoints until the issue is resolved.