REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
References
Link | Resource |
---|---|
https://github.com/vuongdq54/RedCap | Exploit Third Party Advisory |
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes Vendor Advisory |
https://www.project-redcap.org/ | Product Vendor Advisory |
https://github.com/vuongdq54/RedCap | Exploit Third Party Advisory |
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes Vendor Advisory |
https://www.project-redcap.org/ | Product Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 05:20
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/vuongdq54/RedCap - Exploit, Third Party Advisory | |
References | () https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - Release Notes, Vendor Advisory | |
References | () https://www.project-redcap.org/ - Product, Vendor Advisory |
01 Jul 2021, 16:55
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:evms:redcap:10.3.4:*:*:*:-:*:*:* |
cpe:2.3:a:vanderbilt:redcap:10.0.20:*:*:*:lts:*:*:* cpe:2.3:a:vanderbilt:redcap:10.3.4:*:*:*:-:*:*:* |
Information
Published : 2021-01-12 15:15
Updated : 2024-11-21 05:20
NVD link : CVE-2020-26712
Mitre link : CVE-2020-26712
CVE.ORG link : CVE-2020-26712
JSON object : View
Products Affected
vanderbilt
- redcap
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')