CVE-2020-27358

MEDIUM Year: 2020
CVSS v3 Score
4.3
Medium
CVSS v2 Score
4.0
Medium
Weakness Type
CWE-276
View all →

Vulnerability Description

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.

Related Vulnerabilities

CVE-2012-1157

MEDIUM
CVSS:4.3(Medium)

Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default

CWE-2762012

CVE-2013-4764

MEDIUM
CVSS:4.3(Medium)

Samsung Galaxy S3/S4 exposes an unprotected component allowing an unprivileged app to send arbitrary SMS texts to arbitrary destinations without permission.

CWE-2762013

CVE-2017-9505

MEDIUM
CVSS:4.3(Medium)

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Conflu...

CWE-2762017

CVE-2019-10465

MEDIUM
CVSS:4.3(Medium)

A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine wh...

CWE-2762019

CVE-2019-10473

MEDIUM
CVSS:4.3(Medium)

A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

CWE-2762019

CVE-2019-10474

MEDIUM
CVSS:4.3(Medium)

A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.

CWE-2762019