CVE-2020-5745
Description
Cross-site request forgery in TCExam 14.2.2 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in TCExam 14.2.2 lets remote attackers trick admins into forging privileged actions, e.g., granting attacker admin access.
Vulnerability
Cross-site request forgery (CSRF) in TCExam 14.2.2 allows a remote, unauthenticated attacker to perform sensitive application actions by tricking legitimate users, such as administrators, into clicking a crafted link or submitting a malicious form. The vulnerability exists because the application does not implement anti-CSRF tokens or sufficient validation of request origin, even when K_CHECK_SESSION_FINGERPRINT is enabled [1]. Affected version: TCExam 14.2.2 [1].
Exploitation
An attacker can craft a link or HTML form that triggers a state-changing request (e.g., editing user privileges) on the TCExam instance. The attacker must lure an authenticated user (typically an administrator) into clicking the link or submitting the form while that user's session is active. No authentication is required on the attacker's part, and the forged request is executed in the context of the victim's session. For example, a simple link can change user permissions without the victim's knowledge [1].
Impact
Successful exploitation enables the attacker to perform any action that the victim user is authorized to do, such as modifying user accounts, changing test configurations, or granting admin privileges to the attacker's account. This can lead to full administrative control of the TCExam application, compromising the confidentiality, integrity, and availability of data managed by the application [1].
Mitigation
As of the publication date (2020-05-07), no official patch or fixed version has been released by the vendor. Tenable recommends implementing CSRF protection mechanisms such as anti-CSRF tokens for all state-changing requests. A workaround is to enforce strict referer header checking or employ same-origin policy validation, though these are not foolproof. Users should monitor vendor channels for updates or consider restricting network access to the TCExam interface until a fix is available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing anti-CSRF token or origin validation on the user-editing form endpoint allows an attacker to forge authenticated requests."
Attack vector
An unauthenticated attacker crafts an HTML form that submits a POST request to `tce_edit_user.php` with parameters such as `user_id`, `user_name`, `newpassword`, and privilege-level fields [ref_id=1]. The attacker hosts this form on an external site and tricks a legitimate, authenticated admin user into clicking a link or button that submits the form. Because the victim's browser automatically includes the session cookie for the TCExam application, the forged request is processed as if it came from the admin, allowing the attacker to change any user's password or privilege level [ref_id=1].
Affected code
The CSRF vulnerability affects the user editing functionality in `/admin/code/tce_edit_user.php` [ref_id=1]. The application does not include any anti-CSRF tokens or origin validation on this form-processing endpoint, allowing requests to be forged from an external page [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code, but the standard fix for CSRF is to implement anti-CSRF tokens (nonces) on every state-changing form, validate the HTTP `Origin` or `Referer` header, or require re-authentication for sensitive actions such as privilege escalation. Without such protections, the application remains vulnerable to cross-origin request forgery.
Preconditions
- authThe victim must be authenticated as an admin (or have sufficient privileges to edit users) in the TCExam application.
- inputThe victim must click a crafted link or submit a form hosted on an attacker-controlled page while a valid session cookie for the TCExam application is present in the same browser.
- inputThe attacker must know the target user ID (default user IDs are predictable, e.g., user_id=2 for admin) [ref_id=1].
Reproduction
The advisory [ref_id=1] includes a full HTML proof-of-concept form. Host the provided HTML on an attacker-controlled page, changing the form action URL to point to the victim's TCExam instance (e.g., `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.