TCExam version 11.3.008 suffers from SQL injection and cross-site scripting (XSS) vulnerabilities. Details of issues published by High-Tech Bridge Security Research Lab and available for public on their advisory page: TCExam multiple vulnerabilities.
- SQL injection: Input passed via the "user_groups[]" POST parameter to "admin/code/tce_edit_test.php", "subject_id" POST parameter to "/admin/code/tce_show_all_questions.php" scripts are not properly sanitised before being used in a SQL query.
- Cross-site scripting (XSS): Input passed via the "cid" and "uids" GET parameters to "admin/code/tce_select_users_popup.php" script is not properly sanitised before being returned to the user.
Vulnerability ID: HTB23111
Vendor Notification / Patch / Public Disclosure Dates: August 22 / August 22 / September 12, 2012
Vulnerabilities Type: SQL Injection, XSS
Risk level: Medium
Solution Status: Fixed by Vendor, upgrade to TCExam 11.3.009
TCExam is a web-based CBA - Computer-Based Assessment system (e-exam, CBT - Computer Based Testing) for universities, schools and companies, that enables educators and trainers to author, schedule, deliver, and report on surveys, quizzes, tests and exams.
No comments:
Post a Comment