CVE-2020-5751
Description
Insufficient output sanitization in TCExam 14.2.2 allows a remote, authenticated attacker to conduct persistent cross-site scripting (XSS) attacks by creating a crafted operator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can create crafted operators in TCExam 14.2.2 to inject persistent XSS, impacting other users of the application.
Vulnerability
CVE-2020-5751 is a persistent cross-site scripting (XSS) vulnerability in TCExam version 14.2.2. The application fails to properly sanitize output when creating operators, allowing an authenticated attacker with operator creation privileges to inject arbitrary HTML or JavaScript that persists in the application's data [1].
Exploitation
An authenticated attacker must have sufficient privileges to create operator records. By crafting malicious input in operator name or other fields that are not sanitized, the attacker can embed malicious scripts. When other users, including administrators, view the operator list or related pages, the injected script executes in their browser [1]. The attacker does not need any special network position beyond being able to reach the web interface.
Impact
Successful exploitation leads to persistent execution of attacker-controlled JavaScript in the context of the TCExam application for any user who views the affected page. Depending on the victim's privileges, the attacker could potentially perform actions on behalf of that user, such as modifying tests, accessing test data, or escalating privileges. This can result in full compromise of the application's confidentiality, integrity, and availability for the victim's session [1].
Mitigation
As of the publication date (2020-05-07), no patched version has been released by TCExam for this vulnerability. The vendor did not respond to coordinated disclosure attempts [1]. Users should consider restricting access to the application, using web application firewalls (WAFs) to filter XSS payloads, and ensuring that operators are created only by trusted users until a fix is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- TCExam/TCExamdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient output sanitization — user-controlled first and last name fields are echoed directly into HTML without encoding, allowing JavaScript injection."
Attack vector
An authenticated administrator edits the first or last name of an operator (or any non-admin user who can edit modules) to include malicious JavaScript tags. When that operator subsequently navigates to `/admin/code/tce_edit_module.php`, the unsanitized name is rendered in the HTML output at the code snippet `echo '('.$m['user_name'].')'.$m['user_lastname'].' '.$m['user_firstname'].''.K_NEWLINE;` [ref_id=1]. The payload executes in the operator's browser session, achieving persistent cross-site scripting (XSS). The attack requires the administrator account to be compromised or complicit, and the victim must be an operator-level user (not an admin) [ref_id=1].
Affected code
The vulnerable code is in `/admin/code/tce_edit_module.php` at the line `echo '('.$m['user_name'].')'.$m['user_lastname'].' '.$m['user_firstname'].''.K_NEWLINE;` [ref_id=1]. The `user_firstname` and `user_lastname` values are output directly without HTML encoding.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the root cause as unsanitized user input being passed directly to `echo` in `tce_edit_module.php`. The remediation would require HTML-encoding the `user_firstname` and `user_lastname` values before output, for example by using `htmlspecialchars()` or the application's equivalent output-escaping function, to prevent interpretation of injected script tags.
Preconditions
- authAttacker must be an authenticated administrator with privileges to edit user profiles.
- configThe victim must be an operator (or non-admin user who can edit modules) who will navigate to /admin/code/tce_edit_module.php.
- inputThe administrator must set the first or last name field to contain HTML/JavaScript payload.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2020-31mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.