### [CVE-2021-20116](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20116)
![](https://img.shields.io/static/v1?label=Product&message=TCExam&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%2014.8.4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Reflected%20Cross-Site%20Scripting&color=brightgreen)

### Description

A reflected cross-site scripting vulnerability exists in TCExam <= 14.8.4. The paths provided in the f, d, and dir parameters in tce_select_mediafile.php were not properly validated and could cause reflected XSS via the unsanitized output of the path supplied. An attacker could craft a malicious link which, if triggered by an administrator, could result in the attacker hijacking the victim's session or performing actions on their behalf.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/20142995/nuclei-templates
- https://github.com/cyb3r-w0lf/nuclei-template-collection