The end-point _/ExternalModules/?prefix=admindash&page=requestHandler&type=saveReportSettings does not verify that users POSTing to it have administrative access to REDCap itself. It was discovered when writing the JSON payload for ticket #6 that any logged-in user of REDCap could create new projects in the Admin Dashboard module. Combined with the XSS flaw, any user of REDCap can create and export data from the Admin Dashboard module.
Please ensure that only authorized users can interact with this module.
The end-point _/ExternalModules/?prefix=admindash&page=requestHandler&type=saveReportSettings does not verify that users POSTing to it have administrative access to REDCap itself. It was discovered when writing the JSON payload for ticket #6 that any logged-in user of REDCap could create new projects in the Admin Dashboard module. Combined with the XSS flaw, any user of REDCap can create and export data from the Admin Dashboard module.
Please ensure that only authorized users can interact with this module.