Skip to content

Instantly share code, notes, and snippets.

@hiennv20
hiennv20 / sqli_redcap.md
Last active Aug 18, 2019
SQL injection in Redcap 8.11.5 to before 9.3.0 Standard
View sqli_redcap.md

Description: REDCap 8.11.5 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3)). The attacker can exploit and extract any data from redcap database

Vulnerability type: SQL Injection Vendor of Product: Redcap Affected Product Code Base: Redcap - 8.11.5 to before 9.3.0 Standard
Affected Component: Calendar function in project of redcap application Attack Type: Remote Impact Escalation of Privileges: true Attack Vectors: To exploit vulnerability, user must be logged in application, has access to specific project in redcap application

You can’t perform that action at this time.