← Advisories

TCExam <=11.2.011 Multiple Cross-Site Scripting Vulnerabilities

Medium

Advisory ID

ZSL-2011-5025

Release Date

13 July 2011

Vendor

Tecnick.com s.r.l. - http://www.tcexam.org

Affected Version

11.2.009, 11.2.010 and 11.2.011

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

TCExam is a FLOSS system for electronic exams (also know as CBA - Computer-Based Assessment, CBT - Computer-Based Testing or e-exam) that enables educators and trainers to author, schedule, deliver, and report on quizzes, tests and exams.

Description

TCExam suffers from multiple pre and post auth XSS vulnerabilities when parsing user input to multiple parameters via GET and POST method in multiple scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

tcexam_xss.txtTXT

Disclosure Timeline

09.07.2011Vulnerability discovered.

10.07.2011Initial contact with the vendor.

11.07.2011Vendor responds asking more details.

11.07.2011Sent details to vendor.

12.07.2011Vendor confirms the issues.

12.07.2011Working with the vendor.

13.07.2011Vendor releases version 11.2.012 to address these issues.

13.07.2011Coordinated public security advisory released.

Credits