The end-point _/ExternalModules/?prefix=admindash&page=requestHandler&type=saveReportSettings does not verify that users POSTing to it have administrative access to REDCap itself. It was discovered when writing the JSON payload for ticket #6 that any logged-in user of REDCap could create new projects in the Admin Dashboard module. Combined with the XSS flaw, any user of REDCap can create and export data from the Admin Dashboard module.
Please ensure that only authorized users can interact with this module.
iznaut
commented
3 years ago
The end-point _/ExternalModules/?prefix=admindash&page=requestHandler&type=saveReportSettings does not verify that users POSTing to it have administrative access to REDCap itself. It was discovered when writing the JSON payload for ticket #6 that any logged-in user of REDCap could create new projects in the Admin Dashboard module. Combined with the XSS flaw, any user of REDCap can create and export data from the Admin Dashboard module.
Please ensure that only authorized users can interact with this module.