CVE-2020-5743
Description
Improper Control of Resource Identifiers in TCExam 14.2.2 allows a remote, authenticated attacker to access test metadata for which they don't have permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TCExam 14.2.2 contains an insecure direct object reference allowing low-privileged authenticated users to view unauthorized test metadata.
Vulnerability
An insecure direct object reference (IDOR) vulnerability exists in TCExam 14.2.2 in the file /public/code/tce_popup_test_info.php. The testid HTTP GET parameter is not properly validated, enabling an authenticated user with low privileges (student level 1 and above) to access test metadata for tests they do not have permission to view [1].
Exploitation
An attacker must be an authenticated user of TCExam with at least level 1 privileges. By sending a crafted HTTP GET request to tce_popup_test_info.php with a testid parameter set to an arbitrary test identifier, the attacker can retrieve metadata for that test. No additional authentication or special access is required beyond the initial session [1].
Impact
A successful attacker can view test metadata including the start time, end time, test length, maximum score, and points required to pass the exam. This information disclosure could be used to gain an unfair advantage in testing scenarios or to gather intelligence about test structure. The vulnerability does not allow modification of test data or execution of arbitrary code [1].
Mitigation
As of the publication date (2020-05-07), no official patch for TCExam 14.2.2 was available. Users should monitor the vendor for updates and consider implementing access control checks on the testid parameter to verify user permissions before returning metadata [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on the testid parameter in tce_popup_test_info.php allows an authenticated user to access test metadata for tests they are not permitted to view."
Attack vector
A remote, authenticated attacker with at least student-level privileges (level 1 or above) can supply an arbitrary `testid` value in the HTTP GET request to `tce_popup_test_info.php`. The application does not verify whether the attacker is authorized to view that test, allowing the attacker to enumerate test IDs and retrieve metadata such as start time, end time, test length, max score, and passing score for any test in the system [ref_id=1].
Affected code
The vulnerability exists in `/public/code/tce_popup_test_info.php`. The script accepts a test ID via the HTTP GET parameter `testid` without verifying that the authenticated user has permission to access that test's metadata [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the root cause as an insecure direct object reference in `tce_popup_test_info.php` where the `testid` parameter is not validated against the user's permissions. The remediation would require adding an authorization check before returning test metadata, ensuring the requesting user is enrolled in or otherwise authorized to view the specified test.
Preconditions
- authAttacker must have a valid authenticated session with at least student-level privileges (level 1 or above).
- networkAttacker must be able to send HTTP GET requests to the TCExam application.
- inputAttacker must supply a valid test ID that exists in the system but is not assigned to them.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.