CVE-2021-20116

Name of the Vulnerable Software and Affected Versions TCExam versions prior to 14.8.5

Description A reflected cross-site scripting issue exists due to improper validation of paths provided in the f, d, and dir parameters in tce select mediafile.php. This could cause reflected XSS via unsanitized output of the supplied path. An attacker could craft a malicious link that, if triggered by an administrator, could result in session hijacking or actions performed on the victim's behalf.

Recommendations For versions prior to 14.8.5, update to version 14.8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the tce select mediafile.php file until a patch is available. Avoid using the parameters f, d, and dir in the affected API endpoint until the issue is resolved.