CVE-2019-14937

Name of the Vulnerable Software and Affected Versions REDCap versions prior to 9.3.0

Description The issue allows for time-based SQL injection in the edit calendar event via the cal id parameter. An attacker can exploit this to obtain a user's login sessionid from the database and then re-login into REDCap to compromise all data. This can be achieved by manipulating the cal id parameter, for example, by using cal id=55 and sleep(3) in a request to "Calendar/calendar popup ajax.php".

Recommendations For versions prior to 9.3.0, update to version 9.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Calendar/calendar popup ajax.php" endpoint to minimize the risk of exploitation. Avoid using the cal id parameter in the affected endpoint until the issue is resolved.