Admin Dashboard 3.5.2 has a cross site scripting vulnerability.
When creating a new project (POSTing to /ExternalModules/?prefix=admin_dash&page=requestHandler&type=saveReportSettings), a malicious user can inject JavaScript into the "description" field. The example JSON below injects JavaScript that will POST the contents of _UIOWAAdminDash.data (in this case a dump of the table redcap_auth) to a remote server (in this case localhost).
Admin Dashboard 3.5.2 has a cross site scripting vulnerability.
When creating a new project (POSTing to /ExternalModules/?prefix=admin_dash&page=requestHandler&type=saveReportSettings), a malicious user can inject JavaScript into the "description" field. The example JSON below injects JavaScript that will POST the contents of _UIOWAAdminDash.data (in this case a dump of the table redcap_auth) to a remote server (in this case localhost).
To fix this, please sanitize all user input.