CVE-2013-4609

2013-06-1710:00:00

mitre

www.cve.org

redcap

version 5.0.4

version 5.1.3

access restrictions

online designer

data dictionary upload

eval call

AI Score

6.3

Confidence

Low

EPSS

0.002

Percentile

56.4%

JSON

REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.

References

ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf