Cross site scripting

REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session informati...

Sql injection

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker ca...

CVE-2020-26713

REDCap 10.3.4 contains a reflected XSS in the ToDoList function via the sort parameter. User-submitted data is returned unescaped in the response, enabling credential/session information theft or privilege abuse. No remediation details are provided in the supplied documents.

CVE-2020-26713

REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session informati...

CVE-2020-26712

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via the sort parameter. The issue arises from incorporating user-supplied data into a database query without proper validation, enabling attacker-controlled input to affect the query and potentially access or compromise...

CVE-2020-26712

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker ca...

REDCap SQL Injection Vulnerability

REDCap is a data collection and management web application. REDCap 10.3.4 suffers from a SQL injection vulnerability that can be exploited by attackers to obtain sensitive information...

REDCap Cross-Site Scripting Vulnerability

REDCap is a data collection and management web application. REDCap 10.3.4 suffers from a cross-site scripting vulnerability that can be exploited by attackers to obtain sensitive information...

CVE-2020-27358

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature that allows users to export their conversation threads as CSV allows non-privileged users to export one another's conversation threads by changing the threadid parameter in the request to the endpoint...

CVE-2020-27359

A cross-site scripting XSS issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a messag...

CVE-2020-27358

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature that allows users to export their conversation threads as CSV allows non-privileged users to export one another's conversation threads by changing the threadid parameter in the request to the endpoint...

Design/Logic Flaw

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature that allows users to export their conversation threads as CSV allows non-privileged users to export one another's conversation threads by changing the threadid parameter in the request to the endpoint...

CVE-2020-27359

CVE-2020-27359 is a publicized XSS in REDCap (versions 8.11.6–9.x before 10) affecting the Messenger feature. The vulnerability arises from the filename of attached images/files, which can be crafted into a message to execute arbitrary JavaScript/HTML on the recipient’s account across multiple pa...

CVE-2020-27359

A cross-site scripting XSS issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a messag...

CVE-2020-27358

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature that allows users to export their conversation threads as CSV allows non-privileged users to export one another's conversation threads by changing the threadid parameter in the request to the endpoint...

CVE-2020-27358

CVE-2020-27358 affects REDCap 8.11.6 through 9.x before 10. The Messenger CSV export feature is vulnerable to an access-control bypass: non-privileged users can exfiltrate another user’s conversation threads by altering thread_id in the request to Messenger/messenger_download_csv.php?title=Hey&th...

CVE-2019-17121

REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values...

CVE-2019-17121

REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values...

Design/Logic Flaw

REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values...

CVE-2019-17121

CVE-2019-17121 affects REDCap prior to 9.3.4 and involves an XSS vulnerability on the "Customize & Manage Locking/E-signatures" page triggered through Lock Record Custom Text values. The description in the sources confirms the issue but does not provide details on root cause, affected modules bey...