80 matches found
CVE-2024-37395
A stored cross-site scripting XSS vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by...
CVE-2024-37394
A stored cross-site scripting XSS vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious...
CVE-2024-37396
A stored cross-site scripting XSS vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the...
CVE-2024-37395
REDCap 13.1.9.x stores XSS in the Public Survey page: authenticated users can inject scripts via the Survey Title and Survey Instructions. The vulnerability triggers when the survey is accessed via its public link. Remediation is to update to 14.2.1 or later (per the CVE description). The connect...
CVE-2024-37394
A stored cross-site scripting XSS vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious...
CVE-2024-37395
A stored cross-site scripting XSS vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by...
PT-2025-24818 · Redcap · Redcap
Name of the Vulnerable Software and Affected Versions: REDCap version 13.1.9 Description: A stored cross-site scripting XSS issue in the Calendar function allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the Notes field of a calendar event. Th...
CVE-2024-37396
A stored cross-site scripting XSS vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the...
CVE-2024-37394
CVE-2024-37394 (REDCap) : A stored XSS in REDCap 13.1.9 affects the Project Dashboards, allowing authenticated users to inject payloads into the Dashboard title and content. Exploitation leads to execution of malicious scripts when the dashboard is viewed. Red Hat CVE records mirror this issue fo...
CVE-2025-23110
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting XSS vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the...
CVE-2024-45527
REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website...
CVE-2024-56314
A stored cross-site scripting XSS vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the...
CVE-2024-56312
A stored cross-site scripting XSS vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially...
CVE-2020-27359
A cross-site scripting XSS issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a messag...
CVE-2020-26712
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker ca...
CVE-2020-27358
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature that allows users to export their conversation threads as CSV allows non-privileged users to export one another's conversation threads by changing the threadid parameter in the request to the endpoint...
CVE-2013-4610
Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors...
CVE-2012-6564
Cross-site scripting XSS vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2013-4608
Cross-site scripting XSS vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page...
CVE-2019-14937
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the calid parameter, such as calid=55 and sleep3 to Calendar/calendarpopupajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data...