CVE-2020-26713
MEDIUMREDCap 10.3.4 - Reflected Cross-Site Scripting in ToDoList Sort Parameter
Title source: llmDescription
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Product, Vendor Advisory x_refsource_misc
https://www.project-redcap.org/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/vuongdq54/RedCap
Scores
CVSS v3
6.1
EPSS
0.0117
EPSS Percentile
63.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
vanderbilt/redcap
10.0.20
vanderbilt/redcap
10.3.4
Published
Jan 12, 2021
Tracked Since
Feb 18, 2026