CVE-2021-25647 - Stored XSS on Mobile Application "Testes de Código"


Vulnerability Details

Vendor: TM Mobile Solutions <>

Product: "Testes de Código" Mobile Application (Android & iOS)

About: The mobile application "Testes de Código" (tdc.testesdecodigo) let their users perform theoretical driving tests according to Portuguese traffic rules. The application also integrates a public forum to ask questions and chat for communication between students.
This is the #1 mobile app to practice theoretical driving tests in Portugal with 500.000+ installations on Android devices.

Affected version: Version 11.3 and earlier.

Problem type: Code injection; Stored cross-site scripting

Description: The application allows its users to send feedback through "tdc_testemunhos" component without sanitizing the input. As a consequence, a malicious user may inject raw Javascript or HTML code leading to its storage in the remote database and causing it to be executed on client's devices.

Solution: Update to version 11.4 or newer.




  1. 2021-01-13: Issue reported to vendor
  2. 2021-01-13: Vendor acknowledge and confirm the vulnerability
  3. 2021-01-14: Vendor fix the issue
  4. 2021-01-15: Request CVE ID through MITRE
  5. 2021-01-27: Public disclosure

Reported by: João Varelas <>

← Go Back