CVE-2019-14937

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
Configurations

Configuration 1

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*

Information

Published : 2019-08-17 05:15

Updated : 2019-08-27 01:48


NVD link : CVE-2019-14937

Mitre link : CVE-2019-14937

Products Affected
No products.
CWE