{"id":"CVE-2021-20116","details":"A reflected cross-site scripting vulnerability exists in TCExam \u003c= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf.","modified":"2026-04-10T04:29:14.604953Z","published":"2021-08-05T21:15:10.247Z","references":[{"type":"EVIDENCE","url":"https://www.tenable.com/security/research/tra-2021-32"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tecnickcom/tcexam","events":[{"introduced":"0"},{"last_affected":"7750179496964aa7effd08e5ffde6be0d00f2bdf"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"14.8.4"}]}}],"versions":["12.0.013","12.0.014","12.1.000","12.1.001","12.1.002","12.1.003","12.1.004","12.1.005","12.1.006","12.1.007","12.1.008","12.1.009","12.1.010","12.1.011","12.1.012","12.1.013","12.1.014","12.1.015","12.1.016","12.1.017","12.1.018","12.1.019","12.1.020","12.1.021","12.1.022","12.1.023","12.1.024","12.1.025","12.1.026","12.1.027","12.1.28","12.1.29","12.1.30","12.2.0","12.2.1","12.2.2","12.2.3","12.2.4","12.2.5","13.0.1","13.0.2","13.1.1","13.2.0","13.2.1","13.3.0","14.0.0","14.0.1","14.0.2","14.0.3","14.1.0","14.1.2","14.1.3","14.1.4","14.2.1","14.2.2","14.2.3","14.3.0","14.3.1","14.3.2","14.4.0","14.4.1","14.5.0","14.5.1","14.5.2","14.6.0","14.7.0","14.8.0","14.8.1","14.8.2","14.8.3","14.8.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20116.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}