A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victimβs session or performing actions on their behalf.
[
{
"product": "TCExam",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "<= 14.8.4"
}
]
}
]