REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
References
Link | Resource |
---|---|
https://github.com/vuongdq54/RedCap | Exploit Third Party Advisory |
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes Vendor Advisory |
https://www.project-redcap.org/ | Product Vendor Advisory |
https://github.com/vuongdq54/RedCap | Exploit Third Party Advisory |
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes Vendor Advisory |
https://www.project-redcap.org/ | Product Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 05:20
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/vuongdq54/RedCap - Exploit, Third Party Advisory | |
References | () https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - Release Notes, Vendor Advisory | |
References | () https://www.project-redcap.org/ - Product, Vendor Advisory |
01 Jul 2021, 16:55
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:evms:redcap:10.3.4:*:*:*:-:*:*:* |
cpe:2.3:a:vanderbilt:redcap:10.0.20:*:*:*:lts:*:*:* cpe:2.3:a:vanderbilt:redcap:10.3.4:*:*:*:-:*:*:* |
Information
Published : 2021-01-12 15:15
Updated : 2024-11-21 05:20
NVD link : CVE-2020-26713
Mitre link : CVE-2020-26713
CVE.ORG link : CVE-2020-26713
JSON object : View
Products Affected
vanderbilt
- redcap
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')