CyberSec.Space Logo
Back to CVE Browser

CVE-2020-26712

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0470%
EPSS Percentile0.60th
PublishedJan 12, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.

Affected Platforms (CPE)

πŸ“¦
Vanderbilt

Redcap

= 10.0.20
πŸ“¦
Vanderbilt

Redcap

= 10.3.4

References & Advisories

πŸ”— https://github.com/vuongdq54/RedCap
πŸ”— https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
πŸ”— https://www.project-redcap.org/
πŸ”— https://github.com/vuongdq54/RedCap
πŸ”— https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
πŸ”— https://www.project-redcap.org/

Related Vulnerabilities

CVE-2013-461110.0

Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving...

CVE-2013-461010.0

Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown...

CVE-2021-421369.0

A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote at...

CVE-2017-109618.8

REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.