CVE-2021-20111

Name of the Vulnerable Software and Affected Versions TCExam versions prior to 14.8.2

Description A stored cross-site scripting issue exists, allowing an attacker to upload a malicious JavaScript payload via tce filemanager.php with a filename starting with a period. This payload would be triggered when another user views the file, potentially leading to cross-site scripting attacks. The vulnerability is related to the incorrect rendering of files starting with a period as text/html.

Recommendations For TCExam versions prior to 14.8.2, update to version 14.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to tce filemanager.php to minimize the risk of exploitation.