Description: REDCap 8.11.5 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3)). The attacker can exploit and extract any data from redcap database
Vulnerability type: SQL Injection
Vendor of Product: Redcap
Affected Product Code Base: Redcap - 8.11.5 to before 9.3.0 Standard
Affected Component: Calendar function in project of redcap application
Attack Type: Remote
Impact Escalation of Privileges: true
Attack Vectors: To exploit vulnerability, user must be logged in application, has access to specific project in redcap application