CVE-2013-4609

EUVD-2013-4465
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
project-redcapredcap
4.13.18
project-redcapredcap
4.14.5
project-redcapredcap
4.14.6
project-redcapredcap
4.15.0
project-redcapredcap
4.15.1
project-redcapredcap
4.15.2
project-redcapredcap
4.15.3
project-redcapredcap
4.15.4
project-redcapredcap
5.0.0
project-redcapredcap
5.0.1
project-redcapredcap
5.0.2
project-redcapredcap
5.1.0
project-redcapredcap
5.1.1
project-redcapredcap
5.1.2
vanderbiltredcap
𝑥
≤ 5.0.3
vanderbiltredcap
4.14.0
vanderbiltredcap
4.14.1
vanderbiltredcap
4.14.2
vanderbiltredcap
4.14.3
vanderbiltredcap
4.14.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf
http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf