Reaching out to share a new blog post from Tenable detailing the discovery of multiple vulnerabilities in TCExam, a popular open-source online testing system.
By the end of April, over 1.2B children around the globe were out of the classroom due to COVID-19, forcing students and their classes to move online. Translated into over 25 different languages, TCExam is a widely used e-learning system that allows educators to create exams for students and deliver them remotely.
If exploited, an unauthenticated, remote attacker could gain administrative access to TCExam, allowing – for instance – a student (or other malicious actor) to view the grades of other students in their course, or to change other students’ passwords and fail their exams. TCExam quickly collaborated with Tenable to issue patches in their next update, but in the interest of ensuring students’ online education is secure, we wanted to raise awareness for any remaining vulnerable users. The technical advisory can be found here and the blog post here – let me know if you’d be interested in connecting with a researcher from Tenable to discuss the disclosure in-depth.