CVE-2020-27359

A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/seb1055/cve-2020-27358-27359	Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/	Release Notes Vendor Advisory
https://www.ruse.tech/blog/38	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:evms:redcap:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-11-02 21:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-27359

Mitre link : CVE-2020-27359

CVE.ORG link : CVE-2020-27359

JSON object : View

Products Affected

evms

redcap

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-27359", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2020-11-02T21:15:28.710", "references": [{"url": "https://github.com/seb1055/cve-2020-27358-27359", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.ruse.tech/blog/38", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages."}, {"lang": "es", "value": "Un problema de tipo cross-site scripting (XSS) en REDCap versiones 8.11.6 hasta 9.x anteriores a 10, permite a atacantes inyectar JavaScript o HTML arbitrario en la funcionalidad Messenger. Se encontr\u00f3 que el nombre de archivo de la imagen o el archivo adjunto en un mensaje podr\u00eda ser usado para llevar a cabo este ataque de tipo XSS. Un usuario puede dise\u00f1ar un mensaje y enviarlo a cualquier persona de la plataforma, incluyendo los administradores. La carga \u00fatil XSS podr\u00eda ser ejecutada en la otra cuenta sin la interacci\u00f3n del usuario en varias p\u00e1ginas"}], "lastModified": "2020-11-04T16:31:32.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:evms:redcap:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E82DBF5D-3459-47CC-9388-DF06BB5E4439", "versionEndExcluding": "10.0.0", "versionStartIncluding": "8.11.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}