| Título | Tecnick TCExam 16.5.0 Cross Site Scripting |
|---|
| Descripción | Stored Cross Site Scripting in TCExam 16.5.0 (Group Name)
Title
Stored Cross Site Scripting (XSS) in Group Name Parameter
Product
TCExam
Version
16.5.0
Vulnerability Type
CWE-79 – Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
CVSS v3.1 (Suggested)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Base Score: 6.4 (Medium)
⸻
Vulnerable Component
Group Management Module
Vulnerable File(s)
• /admin/code/tce_edit_group.php
• /admin/code/tce_select_users.php
Vulnerable Parameter
Name (Group Name field)
⸻
Technical Details
The application fails to properly sanitize or encode user input submitted to the Group Name field.
User-supplied HTML is stored in the database and later rendered without output encoding, resulting in Stored Cross-Site Scripting (XSS).
An attacker with permissions to create or edit groups can inject arbitrary HTML/JavaScript payloads. When another user (including an administrator) views the affected group, the malicious JavaScript executes automatically in their browser.
Proof of Concept Payload
<details open ontoggle=prompt(origin)>
Why This Payload Works
• The <details> element supports the open attribute.
• The ontoggle event fires automatically when the element is rendered.
• No user interaction is required.
• The script executes upon page load.
⸻
Steps to Reproduce
1. Log in as a user with permission to manage groups (e.g., Administrator).
2. Navigate to:
/admin/code/tce_edit_group.php
3. Click Add New Group.
4. In the Name field, insert:
<details open ontoggle=prompt(origin)>
5. Save the group.
6. Open:
/admin/code/tce_select_users.php
And view the created group in XML.
Result
A JavaScript prompt appears displaying the page origin, confirming execution of injected JavaScript.
Impact
An attacker can:
• Execute arbitrary JavaScript in victim browsers
• Perform actions on behalf of authenticated users
• Potentially hijack sessions (if protections are weak)
• Modify application content dynamically
Because the payload is stored, it persists and affects all users who view the malicious group.
⸻
Remediation
• Apply proper output encoding (e.g., htmlspecialchars() in PHP) before rendering user input.
• Implement strict server-side input validation.
• Consider using a secure HTML sanitization library.
• Deploy a Content Security Policy (CSP) as defense-in-depth.
|
|---|
| Fuente | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/CVE%20Stored%20XSS.md |
|---|
| Usuario | AhmadMarzouk (UID 95993) |
|---|
| Sumisión | 2026-03-02 08:35 (hace 1 mes) |
|---|
| Moderación | 2026-03-14 13:48 (12 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 351075 [Tecnick TCExam 16.5.0 Group tce_edit_group.php Nombre secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|