CVE-2020-5747
Description
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted test.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TCExam 14.2.2 insufficient output sanitization allows authenticated remote attackers to persist XSS via crafted test creation.
Vulnerability
TCExam version 14.2.2 suffers from insufficient output sanitization in the test creation functionality (/public/code/tce_test.php). An authenticated attacker can inject arbitrary HTML and JavaScript into a test, leading to persistent cross-site scripting (XSS). The vulnerability exists because user-supplied content in test fields is not properly sanitized before storage and later display [1].
Exploitation
An attacker must be authenticated to the TCExam application. The attacker creates a new test and includes a malicious payload (e.g., ``) in any of the test fields (e.g., test name or description). When any other user, including administrators, views the crafted test, the script executes in their browser. No additional privileges or user interaction are required beyond viewing the test [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or other actions performed on behalf of the victim. The XSS is persistent, meaning the payload executes automatically for all users who access the compromised test [1].
Mitigation
As of publication, no patched version has been announced. Administrators should monitor the TCExam website for updates. A temporary workaround is to disable the test creation functionality for non-admin users or implement input sanitization via a web application firewall. No official fix is available in the provided references [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The test name is stored unsanitized and later output without encoding in `F_printTestResultStat()` in `tce_test_allresults.php`, allowing stored cross-site scripting."
Attack vector
An authenticated attacker with operator-level privileges (level 5 or higher) creates a new test whose name contains JavaScript payloads (e.g., `
Affected code
The vulnerability resides in `public/code/tce_test_allresults.php`, where a call to `F_printTestResultStat()` outputs the unsanitized test name. The test name is stored with its original malicious content when a test is created via the test-creation functionality in `index.php` [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code. The recommended fix is to sanitize or encode the test name output in `F_printTestResultStat()` within `public/code/tce_test_allresults.php` before it is rendered to the browser, preventing the execution of injected HTML and JavaScript [ref_id=1].
Preconditions
- authAttacker must be authenticated with operator-level privileges (level 5 or higher)
- inputAttacker must have access to create or modify a test
- configThe crafted test must be accessible to other users viewing test results
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.