QwikSec

Security Database

CVE

CWE

Training

CVE-2020-27358

Published: Oct 31, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

x_refsource_MISC

https://www.ruse.tech/blog/38

x_refsource_MISC

https://github.com/seb1055/cve-2020-27358-27359

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.