CVE-2021-20115

Name of the Vulnerable Software and Affected Versions TCExam versions prior to 14.8.4

Description A reflected cross-site scripting issue exists due to improper validation of the paths provided in the f, d, and dir parameters in tce filemanager.php. This could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf.

Recommendations For versions prior to 14.8.4, update to version 14.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the tce filemanager.php file to minimize the risk of exploitation. Avoid using the parameters f, d, and dir in the affected API endpoint until the issue is resolved.