CVE-2020-26713
REDCap 10.3.4 contains a reflected XSS in the ToDoList function via the sort parameter. User-submitted data is returned unescaped in the response, enabling credential/session information theft or privilege abuse. No remediation details are provided in the supplied documents.