CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2020-26712
https://notcve.org/view.php?id=CVE-2020-26712
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases. REDCap versión 10.3.4, contiene una vulnerabilidad de inyección SQL en la función ToDoList por medio del parámetro sort. La aplicación utiliza la adición de una cadena de información del usuario enviado que no está bien comprobada en la consulta de la base de datos, resultando en una vulnerabilidad de inyección SQL donde un atacante puede explotar y comprometer todas las bases de datos • https://github.com/vuongdq54/RedCap https://www.evms.edu/research/resources_services/redcap/redcap_change_log https://www.project-redcap.org • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27359
https://notcve.org/view.php?id=CVE-2020-27359
A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages. Un problema de tipo cross-site scripting (XSS) en REDCap versiones 8.11.6 hasta 9.x anteriores a 10, permite a atacantes inyectar JavaScript o HTML arbitrario en la funcionalidad Messenger. • https://github.com/seb1055/cve-2020-27358-27359 https://www.evms.edu/research/resources_services/redcap/redcap_change_log https://www.ruse.tech/blog/38 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2020-27358
https://notcve.org/view.php?id=CVE-2020-27358
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}. Se detectó un problema en REDCap versiones 8.11.6 hasta 9.x anteriores a 10. La funcionalidad CSV de messenger (que permite a usuarios exportar sus hilos de conversación como CSV) permite a usuarios no privilegiados exportar los hilos de conversación de los demás al cambiar el parámetro thread_id en la petición para el endpoint Messenger/messenger_download_csv.php? • https://github.com/seb1055/cve-2020-27358-27359 https://www.evms.edu/research/resources_services/redcap/redcap_change_log https://www.ruse.tech/blog/38 • CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17121
https://notcve.org/view.php?id=CVE-2019-17121
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values. REDCap versiones anteriores a 9.3.4, presenta una vulnerabilidad de tipo XSS en la página Customize & Manage Locking/E-signatures por medio de valores Lock Record Custom Text. • https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15127
https://notcve.org/view.php?id=CVE-2019-15127
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file. REDCap anterior a la versión 9.3.0 permite ataques XSS contra cuentas que no son de administrador en la página Herramienta de importación de datos a través de un archivo de importación de datos CSV. • https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •