Time-based SQL Injection in REDCap Edit Calendar Event

Time-based SQL Injection in REDCap Edit Calendar Event

CVE-2019-14937 · MEDIUM Severity

AV:N/AC:M/AU:S/C:P/I:P/A:P

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.