SQL Injection Vulnerability in REDCap by Vanderbilt University
CVE-2020-26712

9.8CRITICAL

Key Information:

Vendor

Vanderbilt

Status
Redcap
Vendor
CVE Published:
12 January 2021

What is CVE-2020-26712?

REDCap version 10.3.4 features a SQL injection vulnerability within its ToDoList function, specifically via the 'sort' parameter. This flaw arises from insufficient validation of user-submitted data in the database query process. When exploited, an attacker can manipulate this vulnerability to compromise the application's database, potentially gaining unauthorized access to sensitive information stored within. Proper input validation and security measures are crucial to mitigate this risk.

References

https://www.evms.edu/research/resources_services/redcap/r...
x_refsource_MISC
https://www.project-redcap.org/
x_refsource_MISC
https://github.com/vuongdq54/RedCap
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-26712 : SQL Injection Vulnerability in REDCap by Vanderbilt University