CVE-2020-5750
Description
Insufficient output sanitization in TCExam 14.2.2 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks via the self-registration feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Persistent XSS in TCExam 14.2.2 self-registration allows unauthenticated attackers to inject arbitrary JavaScript via insufficient output sanitization.
Vulnerability
The self-registration feature in TCExam 14.2.2 does not properly sanitize user input, allowing an unauthenticated attacker to perform a persistent cross-site scripting (XSS) attack. Affected versions: TCExam 14.2.2. [1]
Exploitation
An unauthenticated attacker can exploit the vulnerability by crafting malicious input during self-registration, which is then stored and executed in the context of any user viewing the affected page. No authentication is required. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can be leveraged to steal session cookies, perform actions on behalf of the victim, or, in combination with other vulnerabilities (e.g., CSRF), gain administrative access. [1]
Mitigation
The vulnerability was disclosed to the vendor on 2020-03-03, but as of the publication date (2020-05-07), no official fix had been released. Users are advised to monitor for updates or disable self-registration as a workaround. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient output sanitization of user-supplied first and last name fields in tce_show_online_users.php allows stored cross-site scripting."
Attack vector
An unauthenticated attacker performs self-registration on the TCExam platform, crafting the first and last name fields to contain HTML script tags (e.g., `
Affected code
The vulnerability is in `/admin/code/tce_show_online_users.php`. At line 122-126, the `$user_str` variable, which is constructed from the user's first and last names, is echoed without sanitization. The advisory shows that when `F_isAuthorizedEditorForUser()` returns true, the unsanitized `$user_str` is output directly into the HTML [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code. It recommends that output sanitization be applied to the first and last name fields before they are rendered in `tce_show_online_users.php`. The fix should ensure that user-supplied strings are HTML-encoded or otherwise sanitized when echoed in the page, preventing script execution [ref_id=1].
Preconditions
- networkThe attacker must be able to access the self-registration page of the TCExam application.
- configThe application must have self-registration enabled (no authentication required to register).
- inputThe attacker must provide malicious script content in the first name or last name fields during registration.
- authAn administrator must navigate to /admin/code/tce_show_online_users.php while the attacker is logged in (or has an active session).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.