{ "id": "CVE-2020-27359", "sourceIdentifier": "cve@mitre.org", "published": "2020-11-02T21:15:28.710", "lastModified": "2020-11-04T16:31:32.460", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages." }, { "lang": "es", "value": "Un problema de tipo cross-site scripting (XSS) en REDCap versiones 8.11.6 hasta 9.x anteriores a 10, permite a atacantes inyectar JavaScript o HTML arbitrario en la funcionalidad Messenger. Se encontr\u00f3 que el nombre de archivo de la imagen o el archivo adjunto en un mensaje podr\u00eda ser usado para llevar a cabo este ataque de tipo XSS. Un usuario puede dise\u00f1ar un mensaje y enviarlo a cualquier persona de la plataforma, incluyendo los administradores. La carga \u00fatil XSS podr\u00eda ser ejecutada en la otra cuenta sin la interacci\u00f3n del usuario en varias p\u00e1ginas" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.3, "impactScore": 2.7 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.5 }, "baseSeverity": "LOW", "exploitabilityScore": 6.8, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-79" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:evms:redcap:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.11.6", "versionEndExcluding": "10.0.0", "matchCriteriaId": "E82DBF5D-3459-47CC-9388-DF06BB5E4439" } ] } ] } ], "references": [ { "url": "https://github.com/seb1055/cve-2020-27358-27359", "source": "cve@mitre.org", "tags": [ "Third Party Advisory" ] }, { "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/", "source": "cve@mitre.org", "tags": [ "Release Notes", "Vendor Advisory" ] }, { "url": "https://www.ruse.tech/blog/38", "source": "cve@mitre.org", "tags": [ "Third Party Advisory" ] } ] }