Redcap
CVE-2013-4609
MEDIUM
Severity by source
AV:N/AC:L/Au:S/C:P/I:P/A:P
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
AV:N/AC:L/Au:S/C:P/I:P/A:P
Lifecycle Timeline
1DescriptionCVE.org
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
AnalysisAI
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-264. REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call. Affected products include: Project-Redcap Redcap, Vanderbilt Redcap. Version information: before 5.0.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Reques
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=
Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors
REDCap 14.7.0 allows HTML injection via the project title of a New Project action. Rated medium severity (CVSS 6.1), thi
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. Rated mediu
Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 h
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.
A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users t
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated us
A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated user
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today