CVE-2020-5744
Description
Relative Path Traversal in TCExam 14.2.2 allows a remote, authenticated attacker to read the contents of arbitrary files on disk.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated directory traversal in TCExam 14.2.2 allows admin users to read arbitrary files via tce_edit_backup.php.
Vulnerability
A relative path traversal vulnerability exists in TCExam 14.2.2 in the script /admin/code/tce_edit_backup.php. The backup_file HTTP POST parameter is not sufficiently validated, allowing an authenticated user with admin privileges (level 10) to read arbitrary files on the server by supplying sequences like ../ to escape the intended backup directory [1].
Exploitation
An attacker must have administrative access to TCExam (user level 10) with permission to download backup files. By crafting a POST request to tce_edit_backup.php with a backup_file parameter containing path traversal sequences (e.g., ../../../../etc/passwd), the attacker can read the contents of any file on the filesystem [1].
Impact
Successful exploitation allows the attacker to read arbitrary files on disk, including sensitive system files such as /etc/passwd. This could lead to disclosure of confidential information or further compromise of the server [1].
Mitigation
As of the publication of this advisory (2020-05-07), no fix has been released by the vendor. Users should restrict administrative access to trusted individuals and monitor for updates from TCExam [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient validation of the 'backup_file' HTTP POST parameter allows path traversal in file path concatenation."
Attack vector
An authenticated user (by default level 10/admin with permission to download backup files) sends a crafted HTTP POST request to `tce_edit_backup.php` with a `backup_file` parameter containing multiple leading `../` sequences [ref_id=1]. The insufficient validation of this parameter allows the path to traverse outside the intended backup directory, enabling the attacker to read arbitrary files on disk such as `/etc/passwd` [ref_id=1].
Affected code
The vulnerable file is `/admin/code/tce_edit_backup.php`. The `backup_file` HTTP POST parameter is concatenated directly into a file path without sufficient validation: `$file_to_download = K_PATH_BACKUP.$backup_file;` [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code. It identifies that the `backup_file` parameter is not validated sufficiently before being used in a file path concatenation [ref_id=1]. To close the vulnerability, the application should sanitize or validate the `backup_file` parameter to reject path traversal sequences (e.g., `../`) and ensure the resolved path stays within the intended backup directory.
Preconditions
- authAttacker must be authenticated to TCExam
- configBy default, the user must be level 10 (admin) and have permission to download backup files
- networkAttacker must be able to send HTTP POST requests to the vulnerable endpoint
- inputThe 'backup_file' POST parameter must be controllable by the attacker
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.