Vulnerabilities > CVE-2007-2431 - Cross-Site Scripting vulnerability in TCExam $_SERVER[]

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
tecnick-com
exploit available

Summary

Dynamic variable evaluation vulnerability in shared/config/tce_config.php in TCExam 4.0.011 and earlier allows remote attackers to conduct cross-site scripting (XSS) and possibly other attacks by modifying critical variables such as $_SERVER, as demonstrated by injecting web script via the _SERVER[SCRIPT_NAME] parameter.

Vulnerable Configurations

Part Description Count
Application
Tecnick.Com
1

Exploit-Db

descriptionTCExam <= 4.0.011 (SessionUserLang) Shell Injection Exploit. CVE-2007-2430,CVE-2007-2431. Webapps exploit for php platform
fileexploits/php/webapps/3816.php
idEDB-ID:3816
last seen2016-01-31
modified2007-04-29
platformphp
port
published2007-04-29
reporterrgod
sourcehttps://www.exploit-db.com/download/3816/
titleTCExam <= 4.0.011 SessionUserLang Shell Injection Exploit
typewebapps