REDCap before 9.3.0 allows... CVE-2019-14937

6.0 AV AC AU C I A
发布: 2019-08-17
修订: 2019-11-22

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.