Description: REDCap 8.11.5 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3)). The attacker can exploit and extract any data from redcap database
Vulnerability type: SQL Injection
Vendor of Product: Redcap
Affected Product Code Base: Redcap - 8.11.5 to before 9.3.0 Standard
Affected Component: Calendar function in project of redcap application
Attack Type: Remote
Impact Escalation of Privileges: true
Attack Vectors: To exploit vulnerability, user must be logged in application, has access to specific project in redcap application
Reference: https://projectredcap.org/resources/community/
Reproduce
- Login to Redcap application, user have permission update event in calendar
- Perform edit notes, pass cal_id = id_number and sleep(5) to exploit time-based sqlinjection (URL /redcap_v9.2.3//Calendar/calendar_popup_ajax.php)
Release note redcap fix this vulnerability:https://www.evms.edu/research/resources_services/redcap/redcap_change_log/