CVE-2020-27358 : Security Advisory and Response
Learn about CVE-2020-27358, a vulnerability in REDCap 8.11.6 through 9.x before 10, allowing non-privileged users to export others' conversation threads by manipulating parameters.
An issue was discovered in REDCap 8.11.6 through 9.x before 10, allowing non-privileged users to export others' conversation threads.
Understanding CVE-2020-27358
What is CVE-2020-27358?
The vulnerability in REDCap allows unauthorized users to export conversation threads of other users by manipulating the thread_id parameter.
The Impact of CVE-2020-27358
This vulnerability could lead to a breach of privacy and confidentiality as non-privileged users can access sensitive conversation data of other users.
Technical Details of CVE-2020-27358
Vulnerability Description
The flaw in REDCap's messenger CSV feature permits users to export conversation threads of others by altering the thread_id parameter in the request.
Affected Systems and Versions
- Affected versions: REDCap 8.11.6 through 9.x before 10
Exploitation Mechanism
Attackers can exploit this vulnerability by changing the thread_id parameter in the request to the endpoint, enabling them to export other users' conversation threads.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to version 10 of REDCap to mitigate this vulnerability.
- Restrict access to the CSV feature to privileged users only.
Long-Term Security Practices
- Regularly monitor and audit user activities within the messaging system.
- Educate users on the importance of data privacy and secure communication practices.
Patching and Updates
Ensure timely installation of security patches and updates provided by REDCap to address known vulnerabilities.