CVE-2020-5748
Description
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in TCExam 14.2.2 self-registration allows unauthenticated attackers to inject arbitrary scripts that execute for other users.
Vulnerability
TCExam 14.2.2 suffers from insufficient output sanitization in the self-registration feature, enabling persistent cross-site scripting (XSS). An attacker can register with malicious JavaScript payloads in user-controlled fields, which are later rendered without proper encoding. This affects unauthenticated users. [1]
Exploitation
An unauthenticated attacker accesses the self-registration page and submits crafted data, such as a username containing XSS payload. No authentication is required. The payload is stored and executed when an administrator or other user views the registered user information. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session theft, account takeover, or administrative access when combined with other vulnerabilities like CSRF. [1]
Mitigation
The vendor has not released a patch as of the publication date. Administrators should disable self-registration if not required or apply input sanitization manually. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization in F_print_error() allows stored HTML/JavaScript in the username field to execute in an administrator's browser."
Attack vector
An unauthenticated attacker crafts a username containing HTML script tags during the self-registration process [ref_id=1]. When an administrator later visits `tce_edit_user.php` to update or delete that user, the unsanitized username is passed to `F_print_error()` and rendered in the administrator's browser, executing the injected JavaScript [ref_id=1]. No authentication is required for the initial injection, making this a persistent cross-site scripting (XSS) attack that targets administrative users.
Affected code
The vulnerability is in `tce_edit_user.php`. When an administrator updates or deletes a user whose username contains HTML script tags, the unsanitized username is passed to `F_print_error()` and displayed without sanitization [ref_id=1]. The advisory notes that `F_print_error()` is called with unsanitized user input in several other files as well (`tce_edit_group.php`, `tce_edit_subject.php`, `tce_edit_module.php`, `tce_edit_test.php`, `tce_edit_sslcerts.php`), leading to the same issue [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code [ref_id=1]. The recommended fix is to sanitize or encode user-supplied input—particularly the username field during self-registration—before it is stored, and to apply output encoding when passing user-controlled data to `F_print_error()` and similar display functions [ref_id=1]. The advisory also notes that the same unsanitized pattern exists in multiple other editor pages, so a comprehensive sanitization strategy across all those code paths is necessary [ref_id=1].
Preconditions
- inputThe attacker must be able to access the self-registration feature to create a new account with a crafted username.
- authAn administrator must later visit tce_edit_user.php and perform an update or delete action on the crafted username.
- authNo authentication is required for the initial injection step.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.