TCExam users will definitely want to pay attention to this latest advisory posted by Secunia detailing a PHP code execution and cross-site scripting issue that's been found:
rgod has discovered two vulnerabilities in TCExam, which can be exploited by malicious people to conduct cross-site scripting attacks or to compromise a vulnerable system.
The two issues is related to two different inpus not being handled properly - the mishandling of the SessionUserLang cookie and the _SERVER[SCRIPT_NAME] value. Neither of these are being sanitized.
This issue effects users of the TCExam 4.x series but a new version, 4.1.000, has already been released and made available for download.