Tcexam
Monthly
When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticated attacker to read the contents of arbitrary files on disk. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
TCExam before 14.1.2 has XSS via an ff_ or xl_ field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available.
Cross-site scripting (XSS) vulnerability in admin/code/tce_edit_answer.php in TCExam before 11.3.008 allows remote authenticated users with level 5 or greater permissions to inject arbitrary web. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Multiple SQL injection vulnerabilities in TCExam before 11.3.008 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the subject_module_id. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
When installed following the default/recommended settings, TCExam <= 14.8.1 allowed unauthenticated users to access the /cache/backup/ directory, which included sensitive database backup files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An exposure of sensitive information vulnerability exists in TCExam <= 14.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A stored cross-site scripting vulnerability exists in TCExam <= 14.8.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted group. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticated attacker to read the contents of arbitrary files on disk. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
TCExam before 14.1.2 has XSS via an ff_ or xl_ field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available.
Cross-site scripting (XSS) vulnerability in admin/code/tce_edit_answer.php in TCExam before 11.3.008 allows remote authenticated users with level 5 or greater permissions to inject arbitrary web. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Multiple SQL injection vulnerabilities in TCExam before 11.3.008 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the subject_module_id. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.