CVE-2020-26712

Name of the Vulnerable Software and Affected Versions: REDCap version 10.3.4

Description: The issue concerns a SQL injection vulnerability in the ToDoList function via the sort parameter. This vulnerability arises because the application incorporates user-submitted information into database queries without proper validation, allowing an attacker to exploit and potentially compromise all databases.

Recommendations: For REDCap version 10.3.4, as a temporary workaround, consider restricting access to the ToDoList function or validating and sanitizing the sort parameter to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.