41 matches found
CVE-2024-56314
CVE-2024-56314 affects REDCap: stored XSS in the Project name field (authenticated user input) for REDCap versions up to 14.9.6. When a user clicks the project name, the crafted payload can execute arbitrary web scripts. Root cause is an input handling flaw in the Project name field that allows s...
CVE-2024-56311
CVE-2024-56311 affects REDCap’s calendar notes feature where CSRF protection is missing on logout. Affected versions range from REDCap 14.9.6 (and up to 15.0.0 per PTSecurity) with notes-based logout potentially terminating sessions when a user accesses a calendar note. Root cause: lack of CSRF p...
CVE-2019-14937
REDCap before 9.3.0 is affected by a time-based SQL injection in the edit calendar event via cal_id (example cal_id=55 with sleep(3) in Calendar/calendar_popup_ajax.php). The vulnerability could allow an attacker to obtain a user’s login sessionid and re-login to compromise all data. The issue is...
CVE-2019-17121
CVE-2019-17121 affects REDCap prior to 9.3.4 and involves an XSS vulnerability on the "Customize & Manage Locking/E-signatures" page triggered through Lock Record Custom Text values. The description in the sources confirms the issue but does not provide details on root cause, affected modules bey...
CVE-2019-13029
CVE-2019-13029 describes multiple stored XSS flaws in REDCap’s admin panel and survey system, affecting REDCap 8 prior to 8.10.20 and REDCap 9 prior to 9.1.2. The vulnerability allows an attacker with admin privileges to inject arbitrary HTML/JavaScript into a user’s browser, with the project nam...
CVE-2021-42136
Summary: CVE-2021-42136 is a stored XSS in REDCap’s Missing Data Codes functionality present in versions before 11.4.0. The vulnerability allows an attacker to store JavaScript as a Missing Data Code value, which is then executed in the victim’s browser and can be leveraged to perform a Cross-Sit...
CVE-2024-56310
CVE-2024-56310 affects REDCap up to 14.9.6 and up to 15.0.0, due to missing CSRF protections on the Logout functionality. An attacker can lure a user to click a Project Dashboards name containing a payload, triggering a logout and terminating the user session. Root cause: CSRF protection absent o...
CVE-2024-56313
REDCap
CVE-2024-56312
Summary: CVE-2024-56312 is a stored XSS vulnerability in REDCap’s Project Dashboard name field (affected up to version 14.9.6). An authenticated user can inject malicious scripts that execute when the Dashboard name is clicked. The issue stems from insufficient input validation in the name field ...
CVE-2022-24004
CVE-2022-24004 pertains to a Stored XSS in REDCap 12.0.11 affecting Messenger/messenger_ajax.php. The vulnerability allows any authenticated user editing an existing conversation to inject arbitrary code into the messenger title (new_title) field, with the payload then executing in the browsers o...
CVE-2025-23110
CVE-2025-23110 affects REDCap v14.9.6. A reflected XSS vulnerability exists in the email-subject field when uploading a CSV containing alert configurations; a victim who opens the uploaded data and clicks the email-subject may trigger the payload. Affected component: email-subject handling during...
CVE-2024-37395
REDCap 13.1.9.x stores XSS in the Public Survey page: authenticated users can inject scripts via the Survey Title and Survey Instructions. The vulnerability triggers when the survey is accessed via its public link. Remediation is to update to 14.2.1 or later (per the CVE description). The connect...
CVE-2024-37396
REDCap 13.1.9 is affected by a stored XSS in the Calendar component (Notes field). authenticated users can inject scripted HTML that is executed when the calendar event is viewed. The issue is caused by improper handling of input in the calendar event notes, leading to script execution in the con...
CVE-2025-23112
CVE-2025-23112 affects REDCap 14.9.6 with a stored XSS in the Survey field name; authenticated users can trigger payloads when clicking the field name in a survey. The Red Hat and other sources confirm the same issue; no vendor-provided patch/version is specified in the provided documents. Exploi...
CVE-2022-24127
CVE-2022-24127 is a Stored XSS affecting REDCap 12.0.11. The vulnerability resides in ProjectGeneral/edit_project_settings.php (field app_title) where a user with project management permissions can inject arbitrary code, which is reflected in the page title tag. A related entry exists in Messenge...
CVE-2020-27358
CVE-2020-27358 affects REDCap 8.11.6 through 9.x before 10. The Messenger CSV export feature is vulnerable to an access-control bypass: non-privileged users can exfiltrate another user’s conversation threads by altering thread_id in the request to Messenger/messenger_download_csv.php?title=Hey&th...
CVE-2022-42715
Affected software: REDCap (prior to 12.04.18). Vulnerability: Reflected XSS in the Alerts & Notifications upload feature. A crafted CSV file can cause arbitrary JavaScript execution in the user’s browser. Root cause / scope: Unclear from provided docs beyond the XSS result via CSV upload; the iss...
CVE-2017-7351
REDCap 7.x is vulnerable to SQL injection in the file upload handler (SendITController:upload) prior to 7.0.11. The issue is triggered by a trailing substring in the upload endpoint, enabling an attacker to inject SQL through the file upload process. Impact: potential unauthorized database access...
CVE-2023-37361
CVE-2023-37361 affects REDCap versions 12.0.26 LTS and 12.3.2 Standard. The vulnerability is a SQL injection coming from specific parameters (scheduling, repeatforms, purpose, app_title, randomization) used in various function points, potentially enabling unauthorized data access or manipulation ...
CVE-2025-23113
CVE-2025-23113 affects REDCap 14.9.6. The issue is a CSRF vulnerability in the logout functionality triggered during a CSV upload of alert configuration. An HTML injection payload placed in the alert-title can be sent by an attacker; when the victim views the uploaded data and clicks the alert-ti...
CVE-2025-23111
CVE-2025-23111 affects REDCap 14.9.6. The vulnerability arises from HTML injection via the Survey field name, enabling a phishing redirect when a survey recipient clicks the manipulated field name. The exposed risk is user-confusion leading to actions without consent, with the impact described as...
CVE-2020-26712
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via the sort parameter. The issue arises from incorporating user-supplied data into a database query without proper validation, enabling attacker-controlled input to affect the query and potentially access or compromise...
CVE-2024-37394
CVE-2024-37394 (REDCap) : A stored XSS in REDCap 13.1.9 affects the Project Dashboards, allowing authenticated users to inject payloads into the Dashboard title and content. Exploitation leads to execution of malicious scripts when the dashboard is viewed. Red Hat CVE records mirror this issue fo...
CVE-2024-56376
CVE-2024-56376 is a stored XSS in REDCap 14.9.6’s built-in messenger. Authenticated users can inject malicious scripts into the message field, and the payload executes when the recipient clicks the message, enabling potential arbitrary web-script execution. No fix details are provided in the init...
CVE-2024-56377
CVE-2024-56377 describes a stored cross-site scripting (XSS) vulnerability in REDCap 14.9.6 related to survey titles and survey instructions. The issue allows authenticated users to inject malicious scripts into the Survey Title field, and the payload can execute when a user interacts with the su...
CVE-2017-10962
REDCap before 7.5.1 is affected by a Cross-Site Scripting (XSS) vulnerability via the query string. The issue affects REDCap versions prior to 7.5.1; exploitation details are not expanded beyond the XSS via query parameters. Remediation guidance within the connected documents points to upgrading ...
CVE-2024-45527
REDCap 14.7.0 is affected by an HTML injection via the project title on the New Project action. The underlying issue allows injecting HTML that can trigger a logout CSRF (via index.php?logout=1) and may be used to insert a link to an external phishing site. The Red Hat/CNNVD/CVE references confir...
CVE-2012-6564
CVE-2012-6564 describes a cross-site scripting (XSS) vulnerability in REDCap prior to 4.14.5. The affected component is the REDCap web application; the root cause is an XSS flaw that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The available documents do...
CVE-2023-37798
Vanderbilt REDCap 13.1.35 is affected by a stored XSS in the new project creation function, exploitable via the project title parameter. Root cause: insufficient input sanitization in the project title field leading to arbitrary script/HTML execution. Impact: potential arbitrary script execution ...
CVE-2012-6565
REDCap before 4.14.3 exposes a cross-site scripting (XSS) flaw that lets remote authenticated users inject arbitrary web script or HTML via uppercase characters in JavaScript events inside user-defined labels. Root cause described as improper handling of uppercase characters in label-defined JS e...
CVE-2013-4608
CVE-2013-4608 is an XSS vulnerability in REDCap prior to version 5.0.6, exploitable via the Graphical Data View & Descriptive Stats page. The available sources describe that remote attackers can inject arbitrary web script or HTML. The connected documents do not provide exploit code, in-the-wild ...
CVE-2013-4612
The CVE-2013-4612 entry concerns REDCap prior to version 5.1.0 , with multiple cross-site scripting (XSS) vulnerabilities. The reports indicate remote attackers could inject arbitrary web script/HTML via unspecified vectors across different modules. The connected documents confirm the affected pr...
CVE-2013-4610
CVE-2013-4610 affects the Data Search utility in REDCap data-entry forms, specifically REDCap before 5.0.3 and 5.1.x before 5.1.2. The impact is not specified in the sources, and there are no public exploitation details provided in the connected documents. No remediation or fix versions are descr...
CVE-2017-10961
CVE-2017-10961 – REDCap before 7.5.1 suffers a cross-site request forgery (CSRF) in the deletion feature of the File Repository and File Upload components. The root cause is CSRF in the delete function, enabling a remote attacker to perform unauthorized operations in affected installations. Multi...
CVE-2020-26713
REDCap 10.3.4 contains a reflected XSS in the ToDoList function via the sort parameter. User-submitted data is returned unescaped in the response, enabling credential/session information theft or privilege abuse. No remediation details are provided in the supplied documents.
CVE-2023-38825
Summary: CVE-2023-38825 is a SQL injection vulnerability in Vanderbilt REDCap prior to v13.8.0, exposed via the MyCapMobileApp/update.php password-reset endpoint. Affected software: Vanderbilt REDCap (pre-13.8.0). Root cause/impact: improper input handling in the password-reset path allows a remo...
CVE-2012-6566
CVE-2012-6566 describes a cross-site scripting (XSS) vulnerability in REDCap prior to 4.14.2 that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The affected software is REDCap; the root cause is an XSS flaw in versions before 4.14.2. Exploitation details ...
CVE-2013-4609
REDCap exposes a logic-evaluation weakness: versions before 5.0.4 and 5.1.x before 5.1.3 do not reject undocumented syntax in branching logic and calculations, enabling remote authenticated users to bypass access controls via the Online Designer or Data Dictionary upload (demonstrated by an eval ...
CVE-2019-15127
CVE-2019-15127 affects REDCap prior to 9.3.0. The issue is an XSS vulnerability on the Data Import Tool page, exploitable by a CSV data import file and affecting non-administrator accounts. The description in public records does not specify the underlying root cause or CVE exploit vectors beyond ...
CVE-2013-4611
REDCap before 5.1.1 is affected by CVE-2013-4611. The connected documents describe multiple unspecified vulnerabilities that allow remote attackers to have an unknown impact via the Online Designer page or the Manage Survey Participants page. The exact root cause, affected subcomponents, mitigati...
CVE-2024-55374
REDCap 14.3.13 is affected by a username-enumeration vulnerability caused by an observable discrepancy between login attempts. The issue allows an attacker to enumerate valid usernames. Public details on exploitability, affected versions beyond 14.3.13, and a confirmed fix are not provided in the...