CVE-2020-27359 - Vulnerability Details - OpenCVE

A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Evms	Redcap

Configuration 1 [-]

cpe:2.3:a:evms:redcap:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/seb1055/cve-2020-27358-27359
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
https://www.ruse.tech/blog/38

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-10-31T16:22:03

Updated: 2024-08-04T16:11:36.698Z

Reserved: 2020-10-20T00:00:00

Link: CVE-2020-27359

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-11-02T21:15:28.710

Modified: 2024-11-21T05:21:03.663

Link: CVE-2020-27359

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-02T13:02:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.ruse.tech/blog/38"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/seb1055/cve-2020-27358-27359"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2020-27359", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/", "refsource": "MISC", "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"name": "https://www.ruse.tech/blog/38", "refsource": "MISC", "url": "https://www.ruse.tech/blog/38"}, {"name": "https://github.com/seb1055/cve-2020-27358-27359", "refsource": "MISC", "url": "https://github.com/seb1055/cve-2020-27358-27359"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:11:36.698Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.ruse.tech/blog/38"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/seb1055/cve-2020-27358-27359"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-27359", "datePublished": "2020-10-31T16:22:03", "dateReserved": "2020-10-20T00:00:00", "dateUpdated": "2024-08-04T16:11:36.698Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:evms:redcap:*:*:*:*:*:*:*:*", "matchCriteriaId": "E82DBF5D-3459-47CC-9388-DF06BB5E4439", "versionEndExcluding": "10.0.0", "versionStartIncluding": "8.11.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages."}, {"lang": "es", "value": "Un problema de tipo cross-site scripting (XSS) en REDCap versiones 8.11.6 hasta 9.x anteriores a 10, permite a atacantes inyectar JavaScript o HTML arbitrario en la funcionalidad Messenger. Se encontr\u00f3 que el nombre de archivo de la imagen o el archivo adjunto en un mensaje podr\u00eda ser usado para llevar a cabo este ataque de tipo XSS. Un usuario puede dise\u00f1ar un mensaje y enviarlo a cualquier persona de la plataforma, incluyendo los administradores. La carga \u00fatil XSS podr\u00eda ser ejecutada en la otra cuenta sin la interacci\u00f3n del usuario en varias p\u00e1ginas"}], "id": "CVE-2020-27359", "lastModified": "2024-11-21T05:21:03.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "[email protected]", "type": "Primary"}]}, "published": "2020-11-02T21:15:28.710", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/seb1055/cve-2020-27358-27359"}, {"source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.ruse.tech/blog/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/seb1055/cve-2020-27358-27359"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.ruse.tech/blog/38"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}