Login Sign Up

CVE-2021-20114

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to access sensitive database backup files in TCExam installations. It affects all TCExam installations using default or recommended settings, potentially exposing user data, credentials, and other sensitive information.

💻 Affected Systems

Products:
  • TCExam
Versions: <= 14.8.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using default or recommended settings where /cache/backup/ directory is accessible.

📦 What is this software?

Tcexam by Tecnick

View all CVEs affecting Tcexam →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers download database backups containing user credentials, personal data, and exam content, leading to complete data breach and potential credential reuse attacks.

🟠

Likely Case

Unauthenticated users access and download database backup files containing sensitive information like user credentials and exam data.

🟢

If Mitigated

With proper access controls, the backup directory is inaccessible to unauthenticated users, preventing data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only web browser or curl command to access directory path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.8.2

Vendor Advisory: https://github.com/tecnickcom/tcexam/releases

Restart Required: No

Instructions:

1. Download TCExam 14.8.2 or later from official repository. 2. Replace existing installation files with new version. 3. Verify /cache/backup/ directory has proper access controls.

🔧 Temporary Workarounds

Restrict directory access

all

Add .htaccess file to block access to /cache/backup/ directory

echo 'Deny from all' > /path/to/tcexam/cache/backup/.htaccess

Move backup directory

linux

Relocate backup directory outside web root

mv /path/to/tcexam/cache/backup/ /new/secure/location/
ln -s /new/secure/location/ /path/to/tcexam/cache/backup/

🧯 If You Can't Patch

  • Implement web server rules to block access to /cache/backup/ directory
  • Regularly delete old backup files and store them in secure location

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://your-tcexam-url/cache/backup/ in browser or using curl. If directory listing or files are accessible, system is vulnerable.

Check Version:

Check TCExam version in admin panel or examine tcexam/CODE/version.php file

Verify Fix Applied:

Attempt same access after fix. Should receive 403 Forbidden or similar access denied error.

📡 Detection & Monitoring

Log Indicators:

  • Multiple 200 OK responses to /cache/backup/ paths from unauthenticated IPs
  • Large file downloads from backup directory

Network Indicators:

  • HTTP GET requests to /cache/backup/*.sql or /cache/backup/*.gz from external IPs

SIEM Query:

source="web_logs" AND (uri_path="/cache/backup/" OR uri_path="/cache/backup/*") AND http_status=200 AND user_agent!="internal_monitor"

📊 Metadata

CVE ID: CVE-2021-20114
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-425
Published: July 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20114, you might also want to check these:

CVE-2024-0204 9.8

This vulnerability allows an unauthenticated attacker to bypass authentication in Fortra's GoAnywher...

Same vulnerability type (CWE-425)
CVE-2021-36560 9.8

CVE-2021-36560 is an authentication bypass vulnerability in Phone Shop Sales Management System 1.0 t...

Same vulnerability type (CWE-425)
CVE-2019-12768 9.8

This vulnerability allows attackers to bypass authentication on D-Link DAP-1650 wireless range exten...

Same vulnerability type (CWE-425)