Changelog LTS Version 8.10.11

BUG FIXES & OTHER CHANGES:

  • Critical security fix: An SQL Injection vulnerability was found on several pages that could be potentially exploited by manipulating the URL query string of an HTTP request by a malicious user, including non-REDCap users through publicly available URL end-points that do not enforce authentication. It appears very unlikely that this vulnerability could be used to extract information from a REDCap database. But if enough knowledge is known about REDCap internally, it might be possible for an outsider to upload files into random projects in REDCap; however, there is no evidence that those same files could be executed or downloaded, and thus the files would essentially be orphaned (would not be accessible through the user interface in any way) and would simply take up unnecessary space on the file server. This bug appears to exist in every version of REDCap since version 4.0.0.
  • Major bug fix: If a user attempted to put a production project into Draft Mode on the Online Designer page, it would fail and merely reload the page. (Ticket #49866)
  • Major bug fix: If a user has "De-identified" or "Remove all tagged Identifier fields" data export user privileges in a project, and then the user downloads a PDF of a data entry form with saved data, in which the form is a repeating instrument or repeating event, it would mistakenly not remove the appropriate data from the PDF as required according to their user privileges. (Ticket #52190)
  • Major bug fix: If a user has data export privileges of "De-identified" or "Remove all tagged Identifier fields", and then the user exports a report in which every field in the report gets removed due to their export privileges, then it would mistakenly export data for *all* the fields in the entire project. (Ticket #48976)
  • Major bug fix: On survey pages, data entry forms, and other pages where conditional logic and calcs are evaluated, those pages may take an exorbitant amount of time to load (and in some cases may never successfully load at all). This appears to only affect certain Windows server environments.
  • Major bug fix: The "Export Records" API method mistakenly fails and will never complete due to a fatal PHP error. Bug emerged in REDCap 8.5.23. (Ticket #54340)
  • Major bug fix: The DateDiff+Today/Now cron job would sometimes crash due to a fatal PHP error caused when processing the [survey-link] Smart Variable in the message of an Automated Survey Invitation. This would occur only under very specific conditions, and it would result in many projects/records not having their ASI datediff logic being processed, thus the ASI's survey invitations would not get successfully scheduled in these cases and might cause invitations from other unrelated projects not to get scheduled either. (Ticket #61346, #61213)
  • Major bug fix: When a project is using a public survey that has "Save & Return Later" enabled with "Allow respondents to return without needing a return code" enabled, then if a participant clicks the "Save & Return Later" button on the public survey and leaves the survey open on the "Your survey responses were saved!" page while another participant partially or fully completes the survey, and then if the original participant clicks the "Continue Survey Now" button on the "Your survey responses were saved!" page, then the original participant will mistakenly create a brand new record/response whenever they submit survey page again after returning. (Ticket #61764)
  • Major bug fix: When a project is using a public survey that has "Save & Return Later" enabled with "Allow respondents to return without needing a return code" enabled, then if a participant clicks the "Save & Return Later" button on the public survey and leaves the survey open on the "Your survey responses were saved!" page while another participant partially or fully completes the survey, and then if the original participant clicks the "Continue Survey Now" button on the "Your survey responses were saved!" page, then the original participant will mistakenly have the other participant's response loaded for them on the survey page.
  • Major bug fix: When the Clinical Data Pull (CDP) is enabled on a project, if extra data is imported from the EHR for several patients at one time via the cron job (after a user has already pulled some patient data from the EHR for those patients), in certain cases it might mistakenly not clear out data from another patient whose data is being fetched and thus inadvertently add one patient’s data to another patient.
  • Major bug fix: When the Clinical Data Pull (CDP) is enabled on a project, if extra data is imported from the EHR for several patients at one time via the cron job (after a user has already pulled some patient data from the EHR for those patients), in certain cases it might mistakenly not clear out data from another patient whose data is being fetched and thus inadvertently add one patient’s data to another patient.
  • Major bug fix: When upgrading from a REDCap version lower than 8.4.0 to version 8.4.0 or higher, if any projects used Twilio telephony services for surveys and had an Automated Survey Invitation set to use the "Participant's Preference" for the delivery method, then new invitations scheduled by the ASI might not include a survey link (when needed) upon being scheduled. (Ticket #42868)
  • Major bug fix: When using Smart Variables in the conditional logic of an Automated Survey Invitation, in which the logic also contains a datediff function using "today" or "now" as a parameter in the function, it would often cause the ASI cron job to not correctly parse the logic and thus not schedule the invitations at the correct time, or it might mistakenly cause the cron job to crash unexpectedly without finishing scheduling all other ASIs for other surveys.
  • Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on many pages, in which a malicious user could potentially exploit it by manipulating the query string of an HTTP request.
  • Medium security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on many pages, in which a malicious user could potentially exploit it by manipulating the query string of an HTTP request.
  • Minor security fix: A Cross-Site Scripting (XSS) vulnerability was discovered on certain pages, in which a malicious user could potentially exploit it by manipulating the query string of an HTTP request.
  • Minor security fix: An SQL Injection vulnerability was found on surveys pages and data entry pages in which a malicious user could potentially exploit it by manipulating the query string of an HTTP request.
  • Minor security fix: If a malicious user is able to find the URL endpoint at which REDCap Messenger's message history can be downloaded as a CSV file for a given conservation, they could potentially exploit it by manipulating the query string of the HTTP request, which might allow them to download other users' conversations to which they do not have access.
  • Minor security fix: If the hook functions file (as defined on the General Configuration page in the Control Center) begins with "http" or "ftp", then REDCap will not attempt to call/include that path.