CVE-2013-4609

REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
project-redcapredcap
4.13.18
project-redcapredcap
4.14.5
project-redcapredcap
4.14.6
project-redcapredcap
4.15.0
project-redcapredcap
4.15.1
project-redcapredcap
4.15.2
project-redcapredcap
4.15.3
project-redcapredcap
4.15.4
project-redcapredcap
5.0.0
project-redcapredcap
5.0.1
project-redcapredcap
5.0.2
project-redcapredcap
5.1.0
project-redcapredcap
5.1.1
project-redcapredcap
5.1.2
vanderbiltredcap
𝑥
≤ 5.0.3
vanderbiltredcap
4.14.0
vanderbiltredcap
4.14.1
vanderbiltredcap
4.14.2
vanderbiltredcap
4.14.3
vanderbiltredcap
4.14.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf
http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf