CVE-2013-4609

REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.

Published: Jun 17, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-4609
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
project-redcap / redcap	5.1.0	5.1.0.x
project-redcap / redcap	5.1.1	5.1.1.x
project-redcap / redcap	4.15.4	4.15.4.x
project-redcap / redcap	4.15.2	4.15.2.x
project-redcap / redcap	4.14.6	4.14.6.x
project-redcap / redcap	4.14.5	4.14.5.x
project-redcap / redcap	5.0.1	5.0.1.x
project-redcap / redcap	5.1.2	5.1.2.x
project-redcap / redcap	4.13.18	4.13.18.x
project-redcap / redcap	4.15.3	4.15.3.x
project-redcap / redcap	4.15.1	4.15.1.x
project-redcap / redcap	4.15.0	4.15.0.x
project-redcap / redcap	5.0.0	5.0.0.x
project-redcap / redcap	5.0.2	5.0.2.x
vanderbilt / redcap	4.14.4	4.14.4.x
vanderbilt / redcap	-	5.0.3.x
vanderbilt / redcap	4.14.3	4.14.3.x
vanderbilt / redcap	4.14.0	4.14.0.x
vanderbilt / redcap	4.14.2	4.14.2.x
vanderbilt / redcap	4.14.1	4.14.1.x

http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf

Vulnerability Database

289,697

CVE-2013-4609