Vulnerabilites related to Vanderbilt - REDCap
CVE-2024-45527 (GCVE-0-2024-45527)
Vulnerability from cvelistv5
Published
2024-09-02 00:00
Modified
2024-09-03 14:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:redcap:redcap:14.7.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "redcap",
"vendor": "redcap",
"versions": [
{
"status": "affected",
"version": "14.7.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45527",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T14:54:42.719407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:56:15.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-02T02:09:04.795528",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ShellFighter/Reports/blob/main/Vanderbilt%20REDCap%2014.7.0.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45527",
"datePublished": "2024-09-02T00:00:00",
"dateReserved": "2024-09-02T00:00:00",
"dateUpdated": "2024-09-03T14:56:15.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13029 (GCVE-0-2019-13029)
Vulnerability from cvelistv5
Published
2019-07-11 18:52
Modified
2025-03-19 19:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/snippets/1874216"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\u0027s web browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:37:20.922Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitlab.com/snippets/1874216"
},
{
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
},
{
"url": "https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2019-13029/REDCap%20Cross%20Site%20Scripting.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13029",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\u0027s web browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/snippets/1874216",
"refsource": "MISC",
"url": "https://gitlab.com/snippets/1874216"
},
{
"name": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13029",
"datePublished": "2019-07-11T18:52:33.000Z",
"dateReserved": "2019-06-28T00:00:00.000Z",
"dateUpdated": "2025-03-19T19:37:20.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37395 (GCVE-0-2024-37395)
Vulnerability from cvelistv5
Published
2025-06-10 00:00
Modified
2025-06-11 15:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-37395",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T15:08:17.226218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T15:08:36.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the \u0027Survey Title\u0027 and \u0027Survey Instructions\u0027 fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T17:20:28.846Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
},
{
"url": "https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-37395",
"datePublished": "2025-06-10T00:00:00.000Z",
"dateReserved": "2024-06-07T00:00:00.000Z",
"dateUpdated": "2025-06-11T15:08:36.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56312 (GCVE-0-2024-56312)
Vulnerability from cvelistv5
Published
2024-12-22 00:00
Modified
2025-03-18 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T02:19:17.041251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T14:19:56.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T10:49:22.009Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56312",
"datePublished": "2024-12-22T00:00:00.000Z",
"dateReserved": "2024-12-18T00:00:00.000Z",
"dateUpdated": "2025-03-18T14:19:56.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24004 (GCVE-0-2022-24004)
Vulnerability from cvelistv5
Published
2022-06-15 18:16
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T18:16:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24004",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24004",
"datePublished": "2022-06-15T18:16:21",
"dateReserved": "2022-01-26T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42715 (GCVE-0-2022-42715)
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2025-05-15 17:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:41.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_transferred"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-42715",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T17:55:53.984465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T17:56:37.534Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts \u0026 Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42715",
"datePublished": "2022-10-12T00:00:00.000Z",
"dateReserved": "2022-10-10T00:00:00.000Z",
"dateUpdated": "2025-05-15T17:56:37.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6564 (GCVE-0-2012-6564)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-16 16:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:01.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6564",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-16T16:28:30.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15127 (GCVE-0-2019-15127)
Vulnerability from cvelistv5
Published
2019-08-21 18:14
Modified
2024-08-05 00:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-21T18:14:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "CONFIRM",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15127",
"datePublished": "2019-08-21T18:14:38",
"dateReserved": "2019-08-17T00:00:00",
"dateUpdated": "2024-08-05T00:34:53.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56313 (GCVE-0-2024-56313)
Vulnerability from cvelistv5
Published
2024-12-22 00:00
Modified
2025-03-18 13:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56313",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T02:17:28.298644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T13:28:03.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T10:49:55.591Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56313",
"datePublished": "2024-12-22T00:00:00.000Z",
"dateReserved": "2024-12-18T00:00:00.000Z",
"dateUpdated": "2025-03-18T13:28:03.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4609 (GCVE-0-2013-4609)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 01:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4609",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4609",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T01:05:49.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23111 (GCVE-0-2025-23111)
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:50:19.956136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:50:35.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:05:32.425Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_YYYY/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23111",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:50:35.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4608 (GCVE-0-2013-4608)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-16 19:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View \u0026 Descriptive Stats page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4608",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View \u0026 Descriptive Stats page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4608",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-16T19:24:10.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4611 (GCVE-0-2013-4611)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 04:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4611",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4611",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T04:19:21.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6565 (GCVE-0-2012-6565)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 02:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:01.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6565",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6565",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T02:31:59.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26712 (GCVE-0-2020-26712)
Vulnerability from cvelistv5
Published
2021-01-12 14:17
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC | |
| https://www.project-redcap.org/ | x_refsource_MISC | |
| https://github.com/vuongdq54/RedCap | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T14:17:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://www.project-redcap.org/",
"refsource": "MISC",
"url": "https://www.project-redcap.org/"
},
{
"name": "https://github.com/vuongdq54/RedCap",
"refsource": "MISC",
"url": "https://github.com/vuongdq54/RedCap"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26712",
"datePublished": "2021-01-12T14:17:33",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23110 (GCVE-0-2025-23110)
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:52:08.758035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:52:26.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:03:30.880Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_VVVVVV/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23110",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:52:26.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-10962 (GCVE-0-2017-10962)
Vulnerability from cvelistv5
Published
2017-07-18 14:00
Modified
2024-08-05 17:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap before 7.5.1 has XSS via the query string.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.projectredcap.org/articles/13/changelog-standard-release.html | x_refsource_MISC | |
| https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:56.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has XSS via the query string."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10962",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 7.5.1 has XSS via the query string."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.projectredcap.org/articles/13/changelog-standard-release.html",
"refsource": "MISC",
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"name": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae",
"refsource": "MISC",
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10962",
"datePublished": "2017-07-18T14:00:00",
"dateReserved": "2017-07-05T00:00:00",
"dateUpdated": "2024-08-05T17:57:56.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38825 (GCVE-0-2023-38825)
Vulnerability from cvelistv5
Published
2024-03-06 00:00
Modified
2024-08-05 17:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:54:38.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ntrampham/REDCap"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "redcap",
"vendor": "vanderbilt",
"versions": [
{
"lessThan": "v13.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-38825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T17:04:29.536653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T17:07:27.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T15:46:07.829564",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.project-redcap.org/"
},
{
"url": "https://github.com/ntrampham/REDCap"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-38825",
"datePublished": "2024-03-06T00:00:00",
"dateReserved": "2023-07-25T00:00:00",
"dateUpdated": "2024-08-05T17:07:27.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56377 (GCVE-0-2024-56377)
Vulnerability from cvelistv5
Published
2025-01-09 00:00
Modified
2025-01-10 16:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56377",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:58:33.284530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:59:00.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T23:02:37.249Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56377",
"datePublished": "2025-01-09T00:00:00",
"dateReserved": "2024-12-22T00:00:00",
"dateUpdated": "2025-01-10T16:59:00.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23113 (GCVE-0-2025-23113)
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:35:08.080207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:35:35.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. It has an action=myprojects\u0026logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:10:58.576Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_XXX/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23113",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:35:35.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6566 (GCVE-0-2012-6566)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-16 18:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:00.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6566",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6566",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-16T18:43:39.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56310 (GCVE-0-2024-56310)
Vulnerability from cvelistv5
Published
2024-12-22 00:00
Modified
2025-03-19 13:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T02:24:34.277939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T13:51:20.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T10:48:01.411Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56310",
"datePublished": "2024-12-22T00:00:00.000Z",
"dateReserved": "2024-12-18T00:00:00.000Z",
"dateUpdated": "2025-03-19T13:51:20.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37798 (GCVE-0-2023-37798)
Vulnerability from cvelistv5
Published
2023-09-07 00:00
Modified
2024-09-26 17:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://redcap.com"
},
{
"tags": [
"x_transferred"
],
"url": "http://vanderbilt.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37798",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:42:24.276085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:42:52.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-07T18:23:08.802299",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://redcap.com"
},
{
"url": "http://vanderbilt.com"
},
{
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-37798",
"datePublished": "2023-09-07T00:00:00",
"dateReserved": "2023-07-10T00:00:00",
"dateUpdated": "2024-09-26T17:42:52.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42136 (GCVE-0-2021-42136)
Vulnerability from cvelistv5
Published
2022-04-13 15:32
Modified
2024-08-04 03:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.project-redcap.org/ | x_refsource_MISC | |
| https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | x_refsource_MISC | |
| http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:37.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client\u0027s browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T21:02:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client\u0027s browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.project-redcap.org/",
"refsource": "MISC",
"url": "https://www.project-redcap.org/"
},
{
"name": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf",
"refsource": "MISC",
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"name": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42136",
"datePublished": "2022-04-13T15:32:56",
"dateReserved": "2021-10-11T00:00:00",
"dateUpdated": "2024-08-04T03:30:37.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7351 (GCVE-0-2017-7351)
Vulnerability from cvelistv5
Published
2018-02-08 15:00
Modified
2024-08-05 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-08T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7351",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7351",
"datePublished": "2018-02-08T15:00:00",
"dateReserved": "2017-03-30T00:00:00",
"dateUpdated": "2024-08-05T15:56:36.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56314 (GCVE-0-2024-56314)
Vulnerability from cvelistv5
Published
2024-12-22 00:00
Modified
2025-03-17 16:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T02:14:33.099879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:43:30.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T10:50:29.016Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56314",
"datePublished": "2024-12-22T00:00:00.000Z",
"dateReserved": "2024-12-18T00:00:00.000Z",
"dateUpdated": "2025-03-17T16:43:30.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37396 (GCVE-0-2024-37396)
Vulnerability from cvelistv5
Published
2025-06-10 00:00
Modified
2025-06-11 15:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-37396",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T15:07:46.528375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T15:08:06.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the \u0027Notes\u0027 field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T17:13:45.484Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
},
{
"url": "https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-37396",
"datePublished": "2025-06-10T00:00:00.000Z",
"dateReserved": "2024-06-07T00:00:00.000Z",
"dateUpdated": "2025-06-11T15:08:06.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26713 (GCVE-0-2020-26713)
Vulnerability from cvelistv5
Published
2021-01-12 14:17
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC | |
| https://www.project-redcap.org/ | x_refsource_MISC | |
| https://github.com/vuongdq54/RedCap | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:05.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T14:17:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26713",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://www.project-redcap.org/",
"refsource": "MISC",
"url": "https://www.project-redcap.org/"
},
{
"name": "https://github.com/vuongdq54/RedCap",
"refsource": "MISC",
"url": "https://github.com/vuongdq54/RedCap"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26713",
"datePublished": "2021-01-12T14:17:55",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T15:56:05.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56311 (GCVE-0-2024-56311)
Vulnerability from cvelistv5
Published
2024-12-22 00:00
Modified
2025-03-13 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T02:21:05.201133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T19:06:13.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event\u0027s notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T10:48:44.723Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56311",
"datePublished": "2024-12-22T00:00:00.000Z",
"dateReserved": "2024-12-18T00:00:00.000Z",
"dateUpdated": "2025-03-13T19:06:13.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37361 (GCVE-0-2023-37361)
Vulnerability from cvelistv5
Published
2023-07-25 00:00
Modified
2024-10-23 19:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:34.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://trustwave.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T19:57:04.426353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T19:57:15.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://trustwave.com"
},
{
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-37361",
"datePublished": "2023-07-25T00:00:00",
"dateReserved": "2023-06-30T00:00:00",
"dateUpdated": "2024-10-23T19:57:15.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24127 (GCVE-0-2022-24127)
Vulnerability from cvelistv5
Published
2022-06-15 18:16
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T18:16:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24127",
"datePublished": "2022-06-15T18:16:28",
"dateReserved": "2022-01-29T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4610 (GCVE-0-2013-4610)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 00:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4610",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4610",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T00:21:36.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56376 (GCVE-0-2024-56376)
Vulnerability from cvelistv5
Published
2025-01-09 00:00
Modified
2025-01-10 14:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56376",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T14:56:58.897721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T14:59:11.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T23:03:55.418Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56376/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56376",
"datePublished": "2025-01-09T00:00:00",
"dateReserved": "2024-12-22T00:00:00",
"dateUpdated": "2025-01-10T14:59:11.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17121 (GCVE-0-2019-17121)
Vulnerability from cvelistv5
Published
2019-10-04 02:29
Modified
2024-08-05 01:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.4 has XSS on the Customize \u0026 Manage Locking/E-signatures page via Lock Record Custom Text values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-04T02:29:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 9.3.4 has XSS on the Customize \u0026 Manage Locking/E-signatures page via Lock Record Custom Text values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17121",
"datePublished": "2019-10-04T02:29:27",
"dateReserved": "2019-10-04T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-10961 (GCVE-0-2017-10961)
Vulnerability from cvelistv5
Published
2017-07-18 14:00
Modified
2024-08-05 17:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.projectredcap.org/articles/13/changelog-standard-release.html | x_refsource_MISC | |
| https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:56.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.projectredcap.org/articles/13/changelog-standard-release.html",
"refsource": "MISC",
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"name": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae",
"refsource": "MISC",
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10961",
"datePublished": "2017-07-18T14:00:00",
"dateReserved": "2017-07-05T00:00:00",
"dateUpdated": "2024-08-05T17:57:56.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14937 (GCVE-0-2019-14937)
Vulnerability from cvelistv5
Published
2019-08-17 16:15
Modified
2024-08-05 00:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://projectredcap.org/resources/community/ | x_refsource_MISC | |
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_CONFIRM | |
| https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:52.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\u0027s login sessionid from the database, and then re-login into REDCap to compromise all data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-17T16:15:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14937",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\u0027s login sessionid from the database, and then re-login into REDCap to compromise all data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://projectredcap.org/resources/community/",
"refsource": "MISC",
"url": "https://projectredcap.org/resources/community/"
},
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "CONFIRM",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7",
"refsource": "MISC",
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14937",
"datePublished": "2019-08-17T16:15:20",
"dateReserved": "2019-08-11T00:00:00",
"dateUpdated": "2024-08-05T00:34:52.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27358 (GCVE-0-2020-27358)
Vulnerability from cvelistv5
Published
2020-10-31 16:18
Modified
2024-08-04 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC | |
| https://www.ruse.tech/blog/38 | x_refsource_MISC | |
| https://github.com/seb1055/cve-2020-27358-27359 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ruse.tech/blog/38"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger\u0027s CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another\u0027s conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey\u0026thread_id={THREAD_ID}."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-02T13:01:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ruse.tech/blog/38"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27358",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger\u0027s CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another\u0027s conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey\u0026thread_id={THREAD_ID}."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://www.ruse.tech/blog/38",
"refsource": "MISC",
"url": "https://www.ruse.tech/blog/38"
},
{
"name": "https://github.com/seb1055/cve-2020-27358-27359",
"refsource": "MISC",
"url": "https://github.com/seb1055/cve-2020-27358-27359"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27358",
"datePublished": "2020-10-31T16:18:43",
"dateReserved": "2020-10-20T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4612 (GCVE-0-2013-4612)
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 00:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4612",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4612",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T00:20:53.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37394 (GCVE-0-2024-37394)
Vulnerability from cvelistv5
Published
2025-06-10 00:00
Modified
2025-06-11 15:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-37394",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T15:07:14.491532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T15:07:28.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the \u0027Dashboard title\u0027 and \u0027Dashboard content\u0027 text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T17:23:14.760Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
},
{
"url": "https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-37394",
"datePublished": "2025-06-10T00:00:00.000Z",
"dateReserved": "2024-06-07T00:00:00.000Z",
"dateUpdated": "2025-06-11T15:07:28.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-23112 (GCVE-0-2025-23112)
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:46:48.285982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:47:26.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:07:19.788Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_ZZZZ/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23112",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:47:26.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-12-22 22:15
Modified
2025-04-22 15:43
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C656CE-426D-43CB-BB3A-92EDFA9B40B6",
"versionEndIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en el nombre del panel de proyectos de REDCap hasta la versi\u00f3n 15.0.0 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo de nombre de un panel de proyectos. Cuando un usuario hace clic en el nombre del panel de proyectos, se ejecuta el payload manipulado, lo que potencialmente permite la ejecuci\u00f3n de secuencias de comandos web arbitrarias."
}
],
"id": "CVE-2024-56312",
"lastModified": "2025-04-22T15:43:32.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-12-22T22:15:05.630",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-12 15:15
Modified
2024-11-21 05:20
Severity ?
Summary
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 10.0.20 | |
| vanderbilt | redcap | 10.3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.0.20:*:*:*:lts:*:*:*",
"matchCriteriaId": "453770EC-9CBC-42AF-94A2-128E9EAC2367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.3.4:*:*:*:-:*:*:*",
"matchCriteriaId": "BBFEBD85-9056-457B-929C-784EE838A146",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts."
},
{
"lang": "es",
"value": "REDCap versi\u00f3n 10.3.4, contiene una vulnerabilidad de tipo XSS en la funci\u00f3n ToDoList con el par\u00e1metro sort.\u0026#xa0;La informaci\u00f3n enviada por el usuario es inmediatamente devuelta en la respuesta y no se escapa, conllevando a una vulnerabilidad de tipo XSS reflejado.\u0026#xa0;Los atacantes pueden explotar vulnerabilidades para robar informaci\u00f3n de la sesi\u00f3n de inicio de sesi\u00f3n o tomar prestados derechos de usuario para llevar a cabo actos no autorizados"
}
],
"id": "CVE-2020-26713",
"lastModified": "2024-11-21T05:20:16.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-12T15:15:13.843",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-18 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
REDCap before 7.5.1 has XSS via the query string.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8459A929-646B-481D-9C23-78818C7D8FE6",
"versionEndIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has XSS via the query string."
},
{
"lang": "es",
"value": "REDCap anterior a versi\u00f3n 7.5.1, presenta un problema de tipo XSS por medio de la cadena de consulta."
}
],
"id": "CVE-2017-10962",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-18T14:29:00.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-10 18:15
Modified
2025-06-16 15:17
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1142BA00-A7E2-4FC5-8BA8-C39BAB119DA8",
"versionEndExcluding": "14.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the \u0027Dashboard title\u0027 and \u0027Dashboard content\u0027 text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross site scripting (XSS) almacenado en los paneles de control del proyecto REDCap 13.1.9 permite a los usuarios autenticados ejecutar scripts web o HTML arbitrarios mediante la inyecci\u00f3n de un payload manipulado en los cuadros de texto \"T\u00edtulo del panel\" y \"Contenido del panel\". Esto puede provocar la ejecuci\u00f3n de scripts maliciosos al acceder al panel. Se recomienda a los usuarios actualizar a la versi\u00f3n 14.2.1 o posterior para mitigar esta vulnerabilidad."
}
],
"id": "CVE-2024-37394",
"lastModified": "2025-06-16T15:17:46.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-06-10T18:15:29.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-21 19:15
Modified
2024-11-21 04:28
Severity ?
Summary
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89D0694B-C54F-4744-83FB-D7F4EDC3F87C",
"versionEndExcluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file."
},
{
"lang": "es",
"value": "REDCap anterior a la versi\u00f3n 9.3.0 permite ataques XSS contra cuentas que no son de administrador en la p\u00e1gina Herramienta de importaci\u00f3n de datos a trav\u00e9s de un archivo de importaci\u00f3n de datos CSV."
}
],
"id": "CVE-2019-15127",
"lastModified": "2024-11-21T04:28:06.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-21T19:15:13.980",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-10 18:15
Modified
2025-06-16 15:12
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1142BA00-A7E2-4FC5-8BA8-C39BAB119DA8",
"versionEndExcluding": "14.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the \u0027Notes\u0027 field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross site scripting (XSS) almacenado en la funci\u00f3n Calendario de REDCap 13.1.9 permite a usuarios autenticados ejecutar scripts web o HTML arbitrarios mediante la inyecci\u00f3n de un payload manipulado en el campo \"Notas\" de un evento del calendario. Esto podr\u00eda provocar la ejecuci\u00f3n de scripts maliciosos al visualizar el evento. Se recomienda actualizar a la versi\u00f3n 14.2.1 o posterior para corregir esta vulnerabilidad."
}
],
"id": "CVE-2024-37396",
"lastModified": "2025-06-16T15:12:55.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-06-10T18:15:29.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-07 19:15
Modified
2024-11-21 08:12
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40893ACC-652C-4691-8BEB-D3AFBBDE63FD",
"versionEndIncluding": "13.1.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en la nueva funci\u00f3n de creaci\u00f3n de proyectos REDCap de Vanderbilt REDCap 13.1.35 permite a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyecci\u00f3n de un payload manipulado en el par\u00e1metro \"project title\"."
}
],
"id": "CVE-2023-37798",
"lastModified": "2024-11-21T08:12:16.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-07T19:15:47.510",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://redcap.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vanderbilt.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://redcap.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://vanderbilt.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-18 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8459A929-646B-481D-9C23-78818C7D8FE6",
"versionEndIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components."
},
{
"lang": "es",
"value": "REDCap anterior a versi\u00f3n 7.5.1, presenta un problema de tipo CSRF en la funci\u00f3n deletion de los componentes File Repository y File Upload."
}
],
"id": "CVE-2017-10961",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-18T14:29:00.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-02 21:15
Modified
2024-11-21 05:21
Severity ?
Summary
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/seb1055/cve-2020-27358-27359 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Exploit, Vendor Advisory | |
| cve@mitre.org | https://www.ruse.tech/blog/38 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/seb1055/cve-2020-27358-27359 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ruse.tech/blog/38 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51C25902-74A8-42CF-A9EA-10E66B81E466",
"versionEndExcluding": "10.0",
"versionStartIncluding": "8.11.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger\u0027s CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another\u0027s conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey\u0026thread_id={THREAD_ID}."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en REDCap versiones 8.11.6 hasta 9.x anteriores a 10. La funcionalidad CSV de messenger (que permite a usuarios exportar sus hilos de conversaci\u00f3n como CSV) permite a usuarios no privilegiados exportar los hilos de conversaci\u00f3n de los dem\u00e1s al cambiar el par\u00e1metro thread_id en la petici\u00f3n para el endpoint Messenger/messenger_download_csv.php?title=Hey\u0026amp;thread_id={THREAD_ID}"
}
],
"id": "CVE-2020-27358",
"lastModified": "2024-11-21T05:21:03.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-02T21:15:28.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.ruse.tech/blog/38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.ruse.tech/blog/38"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17727622-4793-4DCF-8991-A1FF3F2EC1A3",
"versionEndIncluding": "4.14.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v4.14.3 permite a los usuarios remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s de caracteres may\u00fasculas en los eventos de JavaScript dentro de las etiquetas definidas por el usuario."
}
],
"id": "CVE-2012-6565",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:48.870",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.6 | |
| project-redcap | redcap | 5.1.0 | |
| project-redcap | redcap | 5.1.1 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7B2AB13A-9C46-4F92-B0D4-96358CF0FDC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA90F46D-9A07-47ED-9A61-C82CBF823D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDCFE16-45B4-4ADA-AD2D-CBD7706A0C23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B524B5-416A-4082-B36E-55F22F470AFE",
"versionEndIncluding": "5.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en la utilidad Data Search en los formularios de entrada de datos de REDCap anterior a v5.0.3 y v5.1.x anterior a v5.1.2 tiene un impacto y vectores de ataque desconocidos."
}
],
"id": "CVE-2013-4610",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-06-17T11:38:53.590",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-04 03:15
Modified
2024-11-21 04:31
Severity ?
Summary
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "181A3B66-344F-4AB0-BCFF-B2EAC05B94DF",
"versionEndExcluding": "9.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.4 has XSS on the Customize \u0026 Manage Locking/E-signatures page via Lock Record Custom Text values."
},
{
"lang": "es",
"value": "REDCap versiones anteriores a 9.3.4, presenta una vulnerabilidad de tipo XSS en la p\u00e1gina Customize \u0026amp; Manage Locking/E-signatures por medio de valores Lock Record Custom Text."
}
],
"id": "CVE-2019-17121",
"lastModified": "2024-11-21T04:31:44.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-04T03:15:10.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A198B961-0814-4C71-AD2E-8F61E5220F60",
"versionEndIncluding": "4.14.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v4.14.5 permite a atacantes remotos a inyectar secuencias de comandos Web o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-6564",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:48.833",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.0.3 | |
| project-redcap | redcap | 5.0.4 | |
| project-redcap | redcap | 5.0.5 | |
| project-redcap | redcap | 5.0.6 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5241C18D-9714-4DEA-9552-55DD3FBE4613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "220E8227-7D41-48A9-9D61-BEB47EB19FCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0D82141E-A1F3-474C-86CE-C7409C4E445F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7B2AB13A-9C46-4F92-B0D4-96358CF0FDC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C765A45C-FBBA-4AA0-97BB-9945A8456072",
"versionEndIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades no especificadas en REDCap anterior a v5.1.1 permite a atacantes remotos tener un impacto no determinado a trav\u00e9s de vectores que implican (1) la pagina de Online Designer o (2) la pagina de Manage Survey Participants."
}
],
"id": "CVE-2013-4611",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-06-17T11:38:53.613",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-22 21:15
Modified
2025-04-22 15:37
Severity ?
Summary
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C656CE-426D-43CB-BB3A-92EDFA9B40B6",
"versionEndIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent."
},
{
"lang": "es",
"value": "REDCap hasta la versi\u00f3n 15.0.0 tiene una falla de seguridad en el nombre de Project Dashboards, lo que expone a los usuarios a un ataque de Cross-Site Request Forgery (CSRF). Un atacante puede aprovechar esto al atraer a los usuarios para que hagan clic en un nombre de Project Dashboards que contenga la carga maliciosa, lo que desencadena una solicitud de cierre de sesi\u00f3n y finaliza su sesi\u00f3n. Esta vulnerabilidad se origina en la ausencia de protecciones CSRF en la funcionalidad de cierre de sesi\u00f3n, lo que permite que se ejecuten acciones maliciosas sin el consentimiento del usuario."
}
],
"id": "CVE-2024-56310",
"lastModified": "2025-04-22T15:37:46.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-12-22T21:15:16.433",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-09 23:15
Modified
2025-01-16 21:10
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56376/README.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) almacenado en el mensajero integrado de REDCap 14.9.6 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo de mensajes. Cuando un usuario hace clic en el mensaje recibido, se ejecuta el payload manipulado, lo que potencialmente permite la ejecuci\u00f3n de web scripts arbitrarios."
}
],
"id": "CVE-2024-56376",
"lastModified": "2025-01-16T21:10:10.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-09T23:15:07.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56376/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-25 01:15
Modified
2024-11-21 08:11
Severity ?
Summary
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://trustwave.com | Not Applicable | |
| cve@mitre.org | https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://trustwave.com | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A617CBA8-C5BE-4043-9B80-03C66F1447CD",
"versionEndExcluding": "12.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "95A5B3F3-8497-4CFE-97A1-FAAF2E589777",
"versionEndExcluding": "12.0.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization."
}
],
"id": "CVE-2023-37361",
"lastModified": "2024-11-21T08:11:34.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-25T01:15:09.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://trustwave.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://trustwave.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.0.3 | |
| project-redcap | redcap | 5.0.4 | |
| project-redcap | redcap | 5.0.5 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5241C18D-9714-4DEA-9552-55DD3FBE4613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "220E8227-7D41-48A9-9D61-BEB47EB19FCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0D82141E-A1F3-474C-86CE-C7409C4E445F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82D2498A-677C-41B3-8966-0DC701401F88",
"versionEndIncluding": "5.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) en REDCap anterior a v5.1.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores no especificados implicando diferentes m\u00f3dulos."
}
],
"id": "CVE-2013-4612",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:53.637",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-11 19:15
Modified
2025-03-19 20:15
Severity ?
Summary
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2019-13029/REDCap%20Cross%20Site%20Scripting.txt | ||
| cve@mitre.org | https://gitlab.com/snippets/1874216 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitlab.com/snippets/1874216 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D11F327-2589-4674-B592-34204181109B",
"versionEndExcluding": "8.10.2",
"versionStartIncluding": "8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A78AEDD-608F-4583-BF89-92A3066F7EA1",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\u0027s web browser."
},
{
"lang": "es",
"value": "M\u00faltiples problemas de tipo cross-site-scripting (XSS) almacenados en el panel de administraci\u00f3n y el sistema de encuestas en REDCap versiones 8 anteriores a 8.10.20 y versiones 9 anteriores a 9.1.2, permiten a un atacante inyectar c\u00f3digo HTML o JavaScript malicioso y arbitrario en el navegador web de un usuario."
}
],
"id": "CVE-2019-13029",
"lastModified": "2025-03-19T20:15:16.460",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-11T19:15:13.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2019-13029/REDCap%20Cross%20Site%20Scripting.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gitlab.com/snippets/1874216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gitlab.com/snippets/1874216"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-15 19:15
Modified
2024-11-21 06:49
Severity ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 12.0.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:12.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F352AFB1-6A9E-4FE9-80AF-195DA07E0DAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page."
},
{
"lang": "es",
"value": "Se ha detectado una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas en el archivo ProjectGeneral/edit_project_settings.php en REDCap versi\u00f3n 12.0.11. Este problema permite a cualquier usuario con permisos de administraci\u00f3n de proyectos inyectar c\u00f3digo arbitrario en el campo del t\u00edtulo del proyecto (app_title) cuando es editado un proyecto existente. La carga \u00fatil es reflejada entonces en la etiqueta de t\u00edtulo de la p\u00e1gina"
}
],
"id": "CVE-2022-24127",
"lastModified": "2024-11-21T06:49:51.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-15T19:15:10.840",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-12 13:15
Modified
2025-05-15 18:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss | Exploit, Third Party Advisory | |
| cve@mitre.org | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99E46B49-3C2C-4FA8-85E2-921321D4F318",
"versionEndExcluding": "12.4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA65CD2E-81E9-42A1-B8DE-96C0A7BAEDD4",
"versionEndExcluding": "12.5.11",
"versionStartIncluding": "12.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts \u0026 Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo XSS reflejado en REDCap versiones anteriores a 12.04.18, en la funcionalidad Alerts \u0026amp; Notifications upload. Un archivo CSV dise\u00f1ado, cuando es cargado, desencadena una ejecuci\u00f3n arbitraria de c\u00f3digo JavaScript"
}
],
"id": "CVE-2022-42715",
"lastModified": "2025-05-15T18:15:32.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-12T13:15:10.833",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "807A465D-4AA0-4AD5-B451-E5F241829FB8",
"versionEndIncluding": "4.14.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v4.14.2 permite a atacantes remotos a inyectar secuencias de comandos Web o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-6566",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:48.893",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-10 18:15
Modified
2025-06-16 15:15
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1142BA00-A7E2-4FC5-8BA8-C39BAB119DA8",
"versionEndExcluding": "14.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the \u0027Survey Title\u0027 and \u0027Survey Instructions\u0027 fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross site scripting (XSS) almacenado en la funci\u00f3n de Encuesta P\u00fablica de REDCap 13.1.9 permite a usuarios autenticados ejecutar scripts web o HTML arbitrarios mediante la inyecci\u00f3n de un payload manipulado en los campos \"T\u00edtulo de la encuesta\" e \"Instrucciones de la encuesta\". Esta vulnerabilidad podr\u00eda ser explotada por atacantes para ejecutar scripts maliciosos al acceder a la encuesta a trav\u00e9s de su enlace p\u00fablico. Se recomienda actualizar a la versi\u00f3n 14.2.1 o posterior para solucionar este problema."
}
],
"id": "CVE-2024-37395",
"lastModified": "2025-06-16T15:15:48.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-06-10T18:15:29.660",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-02 05:15
Modified
2025-04-30 16:44
Severity ?
Summary
REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ShellFighter/Reports/blob/main/Vanderbilt%20REDCap%2014.7.0.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1DC7238A-9485-4D2B-84D1-9D01CC8E0118",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website."
},
{
"lang": "es",
"value": "REDCap 14.7.0 permite la inyecci\u00f3n de HTML a trav\u00e9s del t\u00edtulo del proyecto de una acci\u00f3n Nuevo proyecto. Esto puede generar un CSRF de cierre de sesi\u00f3n resultante a trav\u00e9s de index.php?logout=1 y tambi\u00e9n se puede utilizar para insertar un enlace a un sitio web externo de phishing."
}
],
"id": "CVE-2024-45527",
"lastModified": "2025-04-30T16:44:33.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-02T05:15:17.627",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ShellFighter/Reports/blob/main/Vanderbilt%20REDCap%2014.7.0.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-13 16:15
Modified
2024-11-21 06:27
Severity ?
Summary
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B53CE43E-0282-4628-9EC5-5C17F89712BB",
"versionEndExcluding": "11.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client\u0027s browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la funcionalidad Missing Data Codes de REDCap versi\u00f3n 11.2.5, permite a atacantes remotos ejecutar c\u00f3digo JavaScript en el navegador del cliente al almacenar dicho c\u00f3digo como un valor de c\u00f3digo de datos perdidos. Esto puede ser aprovechado para ejecutar un ataque de tipo Cross-Site Request Forgery para escalar privilegios a administrador"
}
],
"id": "CVE-2021-42136",
"lastModified": "2024-11-21T06:27:20.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-13T16:15:09.563",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-15 19:15
Modified
2024-11-21 06:49
Severity ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 12.0.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:12.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F352AFB1-6A9E-4FE9-80AF-195DA07E0DAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown."
},
{
"lang": "es",
"value": "Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en el archivo Messenger/messenger_ajax.php en REDCap versi\u00f3n 12.0.11. Este problema permite a cualquier usuario autenticado inyectar c\u00f3digo arbitrario en el campo del t\u00edtulo de Messenger (tambi\u00e9n se conoce como new_title) cuando es editada una conversaci\u00f3n existente. La carga \u00fatil es ejecutada en el navegador de cualquier participante de la conversaci\u00f3n con la barra lateral mostrada"
}
],
"id": "CVE-2022-24004",
"lastModified": "2024-11-21T06:49:38.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-15T19:15:10.790",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-08 15:29
Modified
2024-11-21 03:31
Severity ?
Summary
A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4E4E26B-01A3-472F-B4CA-0944E7B86212",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload."
},
{
"lang": "es",
"value": "Existe un problema de inyecci\u00f3n SQL en un manipulador de subida de archivos en REDCap, en versiones 7.x anteriores a la 7.0.11, mediante una subcadena final a SendITController:upload."
}
],
"id": "CVE-2017-7351",
"lastModified": "2024-11-21T03:31:40.143",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-08T15:29:00.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-22 22:15
Modified
2025-04-22 15:43
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C656CE-426D-43CB-BB3A-92EDFA9B40B6",
"versionEndIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en la funci\u00f3n Calendario de REDCap hasta la versi\u00f3n 15.0.0 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo Notas de un evento del calendario. Cuando se visualiza el evento, se ejecuta el payload manipulado, lo que potencialmente permite la ejecuci\u00f3n de secuencias de comandos web arbitrarias."
}
],
"id": "CVE-2024-56313",
"lastModified": "2025-04-22T15:43:40.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-12-22T22:15:06.540",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-17 17:15
Modified
2024-11-21 04:27
Severity ?
Summary
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE852A90-17E8-48F1-8AB7-9926B9091574",
"versionEndExcluding": "9.3.0",
"versionStartIncluding": "8.11.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\u0027s login sessionid from the database, and then re-login into REDCap to compromise all data."
},
{
"lang": "es",
"value": "REDCap versiones anteriores a 9.3.0, permite la inyecci\u00f3n SQL basada en tiempo en el evento de edici\u00f3n de calendario por medio del par\u00e1metro cal_id, tales como cal_id=55 y sleep(3) en el archivo Calendar/calendar_popup_ajax.php. El atacante puede obtener un sessionid del inicio de sesi\u00f3n de un usuario desde la base de datos y luego volver a iniciar sesi\u00f3n en REDCap para comprometer todos los datos."
}
],
"id": "CVE-2019-14937",
"lastModified": "2024-11-21T04:27:43.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-17T17:15:10.057",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-22 22:15
Modified
2025-04-22 15:43
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C656CE-426D-43CB-BB3A-92EDFA9B40B6",
"versionEndIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en Project name de REDCap hasta la versi\u00f3n 15.0.0 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo de nombre de un proyecto. Cuando un usuario hace clic en el nombre del proyecto para acceder a \u00e9l, se ejecuta el payload manipulado, lo que potencialmente permite la ejecuci\u00f3n de secuencias de comandos web arbitrarias."
}
],
"id": "CVE-2024-56314",
"lastModified": "2025-04-22T15:43:45.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-12-22T22:15:06.670",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-22 21:15
Modified
2025-04-22 15:43
Severity ?
Summary
REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "08C656CE-426D-43CB-BB3A-92EDFA9B40B6",
"versionEndIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event\u0027s notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent."
},
{
"lang": "es",
"value": "REDCap hasta la versi\u00f3n 15.0.0 tiene un fallo de seguridad en la secci\u00f3n Notas de los eventos del calendario, lo que expone a los usuarios a un ataque de Cross-Site Request Forgery (CSRF). Un atacante puede aprovechar esto enga\u00f1ando a los usuarios para que accedan a las notas de un evento del calendario, lo que desencadena una solicitud de cierre de sesi\u00f3n y finaliza su sesi\u00f3n. Esta vulnerabilidad se debe a la ausencia de protecciones CSRF en la funcionalidad de cierre de sesi\u00f3n, lo que permite que se ejecuten acciones maliciosas sin el consentimiento del usuario."
}
],
"id": "CVE-2024-56311",
"lastModified": "2025-04-22T15:43:27.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-12-22T21:15:16.600",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.0.3 | |
| project-redcap | redcap | 5.0.4 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5241C18D-9714-4DEA-9552-55DD3FBE4613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "220E8227-7D41-48A9-9D61-BEB47EB19FCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "930C4C7A-A038-4045-AAA1-67E8B6CE7C12",
"versionEndIncluding": "5.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View \u0026 Descriptive Stats page."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v5.0.6 permite a atacantes remotos inyectar secuencias arbitrarias de comandos web o HTML a trav\u00e9s de vectores que involucran a el Graphical Data View y la pagina Descriptive Stats."
}
],
"id": "CVE-2013-4608",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:53.433",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-21 02:48
Modified
2025-03-05 18:49
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ntrampham/REDCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ntrampham/REDCap | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7A26E4A6-DE1C-4EDC-B940-7601DF85D81C",
"versionEndExcluding": "13.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en Vanderbilt REDCap anterior a v.13.8.0 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s del mecanismo de restablecimiento de contrase\u00f1a en MyCapMobileApp/update.php."
}
],
"id": "CVE-2023-38825",
"lastModified": "2025-03-05T18:49:13.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-21T02:48:14.560",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ntrampham/REDCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ntrampham/REDCap"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-10 22:15
Modified
2025-02-25 16:11
Severity ?
3.4 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. It has an action=myprojects\u0026logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en REDCap 14.9.6. Tiene un problema CSRF action=myprojects\u0026amp;logout=1 en el t\u00edtulo de alerta mientras se carga un archivo CSV que contiene una lista de configuraciones de alerta. Un atacante puede enviar a la v\u00edctima un archivo CSV que contiene un payload de inyecci\u00f3n HTML en el t\u00edtulo de alerta. Una vez que la v\u00edctima carga el archivo, autom\u00e1ticamente llega a una p\u00e1gina para ver los datos cargados. Si la v\u00edctima hace clic en el valor del t\u00edtulo de alerta, puede activar una solicitud de cierre de sesi\u00f3n y finalizar su sesi\u00f3n, o redirigirla a un sitio web de phishing. Esta vulnerabilidad se debe a la ausencia de protecciones CSRF en la funcionalidad de cierre de sesi\u00f3n."
}
],
"id": "CVE-2025-23113",
"lastModified": "2025-02-25T16:11:55.610",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-10T22:15:28.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_XXX/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-12 15:15
Modified
2024-11-21 05:20
Severity ?
Summary
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 10.0.20 | |
| vanderbilt | redcap | 10.3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.0.20:*:*:*:lts:*:*:*",
"matchCriteriaId": "453770EC-9CBC-42AF-94A2-128E9EAC2367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.3.4:*:*:*:-:*:*:*",
"matchCriteriaId": "BBFEBD85-9056-457B-929C-784EE838A146",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases."
},
{
"lang": "es",
"value": "REDCap versi\u00f3n 10.3.4, contiene una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n ToDoList por medio del par\u00e1metro sort.\u0026#xa0;La aplicaci\u00f3n utiliza la adici\u00f3n de una cadena de informaci\u00f3n del usuario enviado que no est\u00e1 bien comprobada en la consulta de la base de datos, resultando en una vulnerabilidad de inyecci\u00f3n SQL donde un atacante puede explotar y comprometer todas las bases de datos"
}
],
"id": "CVE-2020-26712",
"lastModified": "2024-11-21T05:20:16.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-12T15:15:13.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-10 22:15
Modified
2025-02-25 16:14
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en REDCap 14.9.6. Una vulnerabilidad de cross-site scripting almacenado permite que los usuarios autenticados inyecten scripts maliciosos en el nombre del campo de la encuesta. Cuando un usuario recibe la encuesta, si hace clic en el nombre del campo, se activa el payload XSS."
}
],
"id": "CVE-2025-23112",
"lastModified": "2025-02-25T16:14:20.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-10T22:15:27.863",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_ZZZZ/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-09 23:15
Modified
2025-01-16 21:10
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) almacenado en los t\u00edtulos de las encuestas de REDCap 14.9.6 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo T\u00edtulo de la encuesta o en las Instrucciones de la encuesta. Cuando un usuario recibe una encuesta y hace clic en cualquier parte de la p\u00e1gina de la encuesta para ingresar datos, se ejecuta el payload manipulado (que se ha inyectado en todos los campos de la encuesta), lo que potencialmente permite la ejecuci\u00f3n de web scripts arbitrarios."
}
],
"id": "CVE-2024-56377",
"lastModified": "2025-01-16T21:10:25.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-09T23:15:08.173",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-10 22:15
Modified
2025-02-25 16:46
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en REDCap 14.9.6. Existe una vulnerabilidad de cross-site scripting (XSS) reflejado en el campo de asunto del correo electr\u00f3nico al cargar un archivo CSV que contiene una lista de configuraciones de alerta. Un atacante puede enviar a la v\u00edctima un archivo CSV que contiene el payload XSS en el asunto del correo electr\u00f3nico. Una vez que la v\u00edctima carga el archivo, autom\u00e1ticamente llega a una p\u00e1gina para ver los datos cargados. Si la v\u00edctima hace clic en el valor del asunto del correo electr\u00f3nico, se activa el payload XSS."
}
],
"id": "CVE-2025-23110",
"lastModified": "2025-02-25T16:46:57.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-10T22:15:27.550",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_VVVVVV/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-10 22:15
Modified
2025-02-25 16:16
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en REDCap 14.9.6 que permite la inyecci\u00f3n de HTML a trav\u00e9s del nombre del campo de la encuesta, lo que expone a los usuarios a una redirecci\u00f3n a un sitio web de phishing. Un atacante puede aprovechar esto para enga\u00f1ar al usuario que recibe la encuesta para que haga clic en el nombre del campo, lo que lo redirige a un sitio web de phishing. Por lo tanto, esto permite que se ejecuten acciones maliciosas sin el consentimiento del usuario."
}
],
"id": "CVE-2025-23111",
"lastModified": "2025-02-25T16:16:50.967",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-10T22:15:27.723",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_YYYY/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2025-04-11 00:51
Severity ?
Summary
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.1.0 | |
| project-redcap | redcap | 5.1.1 | |
| project-redcap | redcap | 5.1.2 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA90F46D-9A07-47ED-9A61-C82CBF823D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDCFE16-45B4-4ADA-AD2D-CBD7706A0C23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A84CE53C-EFC2-4DAA-B3A5-E165F9AE56FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F97C5D09-EDA5-4FDC-B93B-65A7BBE87395",
"versionEndIncluding": "5.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call."
},
{
"lang": "es",
"value": "REDCap anterior a v5.0.4 y v5.1.x anterior a v5.1.3 no rechaza cierta sintaxis no documentada dentro de la l\u00f3gica de bifurcaci\u00f3n y c\u00e1lculos, lo que permite a usuarios autenticados remotamente evitar las restricciones de acceso establecidas a trav\u00e9s de (1) el Online Designer o (2) el Data Dictionary Upload, como se demostr\u00f3 por una llamada eval."
}
],
"id": "CVE-2013-4609",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-06-17T11:38:53.570",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}