Vulnerability Description
A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Evms | Redcap | >= 8.11.6, < 10.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/seb1055/cve-2020-27358-27359Third Party Advisory
- https://www.evms.edu/research/resources_services/redcap/redcap_change_log/Release NotesVendor Advisory
- https://www.ruse.tech/blog/38Third Party Advisory
- https://github.com/seb1055/cve-2020-27358-27359Third Party Advisory
- https://www.evms.edu/research/resources_services/redcap/redcap_change_log/Release NotesVendor Advisory
- https://www.ruse.tech/blog/38Third Party Advisory
FAQ
What is CVE-2020-27359?
CVE-2020-27359 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image ...
How severe is CVE-2020-27359?
CVE-2020-27359 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-27359?
Check the references section above for vendor advisories and patch information. Affected products include: Evms Redcap.