Lucene search
K
VanderbiltRedcap

41 matches found

CVE
CVE
added 2024/12/22 12:0 a.m.460 views

CVE-2024-56314

CVE-2024-56314 affects REDCap: stored XSS in the Project name field (authenticated user input) for REDCap versions up to 14.9.6. When a user clicks the project name, the crafted payload can execute arbitrary web scripts. Root cause is an input handling flaw in the Project name field that allows s...

5.4CVSS5.3AI score0.00386EPSS
CVE
CVE
added 2024/12/22 12:0 a.m.330 views

CVE-2024-56311

CVE-2024-56311 affects REDCap’s calendar notes feature where CSRF protection is missing on logout. Affected versions range from REDCap 14.9.6 (and up to 15.0.0 per PTSecurity) with notes-based logout potentially terminating sessions when a user accesses a calendar note. Root cause: lack of CSRF p...

8.8CVSS8.8AI score0.00289EPSS
CVE
CVE
added 2019/08/17 4:15 p.m.244 views

CVE-2019-14937

REDCap before 9.3.0 is affected by a time-based SQL injection in the edit calendar event via cal_id (example cal_id=55 with sleep(3) in Calendar/calendar_popup_ajax.php). The vulnerability could allow an attacker to obtain a user’s login sessionid and re-login to compromise all data. The issue is...

7.5CVSS7.8AI score0.01404EPSS
Web
CVE
CVE
added 2019/10/04 2:29 a.m.158 views

CVE-2019-17121

CVE-2019-17121 affects REDCap prior to 9.3.4 and involves an XSS vulnerability on the "Customize & Manage Locking/E-signatures" page triggered through Lock Record Custom Text values. The description in the sources confirms the issue but does not provide details on root cause, affected modules bey...

5.4CVSS5.3AI score0.00618EPSS
CVE
CVE
added 2019/07/11 6:52 p.m.112 views

CVE-2019-13029

CVE-2019-13029 describes multiple stored XSS flaws in REDCap’s admin panel and survey system, affecting REDCap 8 prior to 8.10.20 and REDCap 9 prior to 9.1.2. The vulnerability allows an attacker with admin privileges to inject arbitrary HTML/JavaScript into a user’s browser, with the project nam...

4.8CVSS5AI score0.02469EPSS
Web
CVE
CVE
added 2022/04/13 3:32 p.m.90 views

CVE-2021-42136

Summary: CVE-2021-42136 is a stored XSS in REDCap’s Missing Data Codes functionality present in versions before 11.4.0. The vulnerability allows an attacker to store JavaScript as a Missing Data Code value, which is then executed in the victim’s browser and can be leveraged to perform a Cross-Sit...

9CVSS8.4AI score0.04657EPSS
Web
CVE
CVE
added 2024/12/22 12:0 a.m.88 views

CVE-2024-56310

CVE-2024-56310 affects REDCap up to 14.9.6 and up to 15.0.0, due to missing CSRF protections on the Logout functionality. An attacker can lure a user to click a Project Dashboards name containing a payload, triggering a logout and terminating the user session. Root cause: CSRF protection absent o...

8.8CVSS8.8AI score0.0024EPSS
CVE
CVE
added 2024/12/22 12:0 a.m.76 views

CVE-2024-56313

REDCap

5.4CVSS5.3AI score0.00386EPSS
CVE
CVE
added 2024/12/22 12:0 a.m.75 views

CVE-2024-56312

Summary: CVE-2024-56312 is a stored XSS vulnerability in REDCap’s Project Dashboard name field (affected up to version 14.9.6). An authenticated user can inject malicious scripts that execute when the Dashboard name is clicked. The issue stems from insufficient input validation in the name field ...

5.4CVSS5.3AI score0.00386EPSS
CVE
CVE
added 2022/06/15 6:16 p.m.74 views

CVE-2022-24004

CVE-2022-24004 pertains to a Stored XSS in REDCap 12.0.11 affecting Messenger/messenger_ajax.php. The vulnerability allows any authenticated user editing an existing conversation to inject arbitrary code into the messenger title (new_title) field, with the payload then executing in the browsers o...

5.4CVSS5.1AI score0.00652EPSS
Web
CVE
CVE
added 2025/06/10 12:0 a.m.64 views

CVE-2024-37395

REDCap 13.1.9.x stores XSS in the Public Survey page: authenticated users can inject scripts via the Survey Title and Survey Instructions. The vulnerability triggers when the survey is accessed via its public link. Remediation is to update to 14.2.1 or later (per the CVE description). The connect...

5.4CVSS5.3AI score0.00409EPSS
CVE
CVE
added 2025/01/10 12:0 a.m.64 views

CVE-2025-23110

CVE-2025-23110 affects REDCap v14.9.6. A reflected XSS vulnerability exists in the email-subject field when uploading a CSV containing alert configurations; a victim who opens the uploaded data and clicks the email-subject may trigger the payload. Affected component: email-subject handling during...

6.1CVSS5.8AI score0.00273EPSS
CVE
CVE
added 2025/06/10 12:0 a.m.63 views

CVE-2024-37396

REDCap 13.1.9 is affected by a stored XSS in the Calendar component (Notes field). authenticated users can inject scripted HTML that is executed when the calendar event is viewed. The issue is caused by improper handling of input in the calendar event notes, leading to script execution in the con...

5.4CVSS5.4AI score0.00409EPSS
CVE
CVE
added 2025/01/10 12:0 a.m.61 views

CVE-2025-23112

CVE-2025-23112 affects REDCap 14.9.6 with a stored XSS in the Survey field name; authenticated users can trigger payloads when clicking the field name in a survey. The Red Hat and other sources confirm the same issue; no vendor-provided patch/version is specified in the provided documents. Exploi...

6.1CVSS4.7AI score0.00273EPSS
CVE
CVE
added 2022/06/15 6:16 p.m.60 views

CVE-2022-24127

CVE-2022-24127 is a Stored XSS affecting REDCap 12.0.11. The vulnerability resides in ProjectGeneral/edit_project_settings.php (field app_title) where a user with project management permissions can inject arbitrary code, which is reflected in the page title tag. A related entry exists in Messenge...

5.4CVSS5.2AI score0.00656EPSS
Web
CVE
CVE
added 2020/10/31 4:18 p.m.59 views

CVE-2020-27358

CVE-2020-27358 affects REDCap 8.11.6 through 9.x before 10. The Messenger CSV export feature is vulnerable to an access-control bypass: non-privileged users can exfiltrate another user’s conversation threads by altering thread_id in the request to Messenger/messenger_download_csv.php?title=Hey&th...

4.3CVSS4.8AI score0.02031EPSS
Web
CVE
CVE
added 2022/10/12 12:0 a.m.59 views

CVE-2022-42715

Affected software: REDCap (prior to 12.04.18). Vulnerability: Reflected XSS in the Alerts & Notifications upload feature. A crafted CSV file can cause arbitrary JavaScript execution in the user’s browser. Root cause / scope: Unclear from provided docs beyond the XSS result via CSV upload; the iss...

6.1CVSS6.2AI score0.00698EPSS
CVE
CVE
added 2018/02/08 3:0 p.m.58 views

CVE-2017-7351

REDCap 7.x is vulnerable to SQL injection in the file upload handler (SendITController:upload) prior to 7.0.11. The issue is triggered by a trailing substring in the upload endpoint, enabling an attacker to inject SQL through the file upload process. Impact: potential unauthorized database access...

8.8CVSS8.9AI score0.01192EPSS
CVE
CVE
added 2023/07/25 12:0 a.m.58 views

CVE-2023-37361

CVE-2023-37361 affects REDCap versions 12.0.26 LTS and 12.3.2 Standard. The vulnerability is a SQL injection coming from specific parameters (scheduling, repeatforms, purpose, app_title, randomization) used in various function points, potentially enabling unauthorized data access or manipulation ...

2.7CVSS5.2AI score0.00513EPSS
CVE
CVE
added 2025/01/10 12:0 a.m.58 views

CVE-2025-23113

CVE-2025-23113 affects REDCap 14.9.6. The issue is a CSRF vulnerability in the logout functionality triggered during a CSV upload of alert configuration. An HTML injection payload placed in the alert-title can be sent by an attacker; when the victim views the uploaded data and clicks the alert-ti...

8.8CVSS6.7AI score0.00156EPSS
CVE
CVE
added 2025/01/09 12:0 a.m.55 views

CVE-2024-56377

CVE-2024-56377 describes a stored cross-site scripting (XSS) vulnerability in REDCap 14.9.6 related to survey titles and survey instructions. The issue allows authenticated users to inject malicious scripts into the Survey Title field, and the payload can execute when a user interacts with the su...

5.4CVSS5.7AI score0.00386EPSS
CVE
CVE
added 2025/01/10 12:0 a.m.55 views

CVE-2025-23111

CVE-2025-23111 affects REDCap 14.9.6. The vulnerability arises from HTML injection via the Survey field name, enabling a phishing redirect when a survey recipient clicks the manipulated field name. The exposed risk is user-confusion leading to actions without consent, with the impact described as...

6.1CVSS6.6AI score0.00268EPSS
CVE
CVE
added 2021/01/12 2:17 p.m.54 views

CVE-2020-26712

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via the sort parameter. The issue arises from incorporating user-supplied data into a database query without proper validation, enabling attacker-controlled input to affect the query and potentially access or compromise...

10CVSS9.6AI score0.0211EPSS
CVE
CVE
added 2025/06/10 12:0 a.m.54 views

CVE-2024-37394

CVE-2024-37394 (REDCap) : A stored XSS in REDCap 13.1.9 affects the Project Dashboards, allowing authenticated users to inject payloads into the Dashboard title and content. Exploitation leads to execution of malicious scripts when the dashboard is viewed. Red Hat CVE records mirror this issue fo...

5.4CVSS5.7AI score0.00409EPSS
CVE
CVE
added 2025/01/09 12:0 a.m.54 views

CVE-2024-56376

CVE-2024-56376 is a stored XSS in REDCap 14.9.6’s built-in messenger. Authenticated users can inject malicious scripts into the message field, and the payload executes when the recipient clicks the message, enabling potential arbitrary web-script execution. No fix details are provided in the init...

5.4CVSS5.6AI score0.00386EPSS
CVE
CVE
added 2017/07/18 2:0 p.m.53 views

CVE-2017-10962

REDCap before 7.5.1 is affected by a Cross-Site Scripting (XSS) vulnerability via the query string. The issue affects REDCap versions prior to 7.5.1; exploitation details are not expanded beyond the XSS via query parameters. Remediation guidance within the connected documents points to upgrading ...

6.1CVSS6AI score0.00639EPSS
CVE
CVE
added 2024/09/02 12:0 a.m.53 views

CVE-2024-45527

REDCap 14.7.0 is affected by an HTML injection via the project title on the New Project action. The underlying issue allows injecting HTML that can trigger a logout CSRF (via index.php?logout=1) and may be used to insert a link to an external phishing site. The Red Hat/CNNVD/CVE references confir...

6.1CVSS7AI score0.00185EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.51 views

CVE-2012-6564

CVE-2012-6564 describes a cross-site scripting (XSS) vulnerability in REDCap prior to 4.14.5. The affected component is the REDCap web application; the root cause is an XSS flaw that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The available documents do...

4.3CVSS5.8AI score0.01374EPSS
CVE
CVE
added 2023/09/07 12:0 a.m.51 views

CVE-2023-37798

Vanderbilt REDCap 13.1.35 is affected by a stored XSS in the new project creation function, exploitable via the project title parameter. Root cause: insufficient input sanitization in the project title field leading to arbitrary script/HTML execution. Impact: potential arbitrary script execution ...

5.4CVSS5.3AI score0.00346EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.50 views

CVE-2012-6565

REDCap before 4.14.3 exposes a cross-site scripting (XSS) flaw that lets remote authenticated users inject arbitrary web script or HTML via uppercase characters in JavaScript events inside user-defined labels. Root cause described as improper handling of uppercase characters in label-defined JS e...

3.5CVSS5.4AI score0.00944EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.50 views

CVE-2013-4608

CVE-2013-4608 is an XSS vulnerability in REDCap prior to version 5.0.6, exploitable via the Graphical Data View & Descriptive Stats page. The available sources describe that remote attackers can inject arbitrary web script or HTML. The connected documents do not provide exploit code, in-the-wild ...

4.3CVSS5.8AI score0.01214EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.50 views

CVE-2013-4612

The CVE-2013-4612 entry concerns REDCap prior to version 5.1.0 , with multiple cross-site scripting (XSS) vulnerabilities. The reports indicate remote attackers could inject arbitrary web script/HTML via unspecified vectors across different modules. The connected documents confirm the affected pr...

4.3CVSS5.8AI score0.01379EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.48 views

CVE-2013-4610

CVE-2013-4610 affects the Data Search utility in REDCap data-entry forms, specifically REDCap before 5.0.3 and 5.1.x before 5.1.2. The impact is not specified in the sources, and there are no public exploitation details provided in the connected documents. No remediation or fix versions are descr...

10CVSS6.9AI score0.01743EPSS
CVE
CVE
added 2017/07/18 2:0 p.m.48 views

CVE-2017-10961

CVE-2017-10961 – REDCap before 7.5.1 suffers a cross-site request forgery (CSRF) in the deletion feature of the File Repository and File Upload components. The root cause is CSRF in the delete function, enabling a remote attacker to perform unauthorized operations in affected installations. Multi...

8.8CVSS8.6AI score0.00563EPSS
CVE
CVE
added 2021/01/12 2:17 p.m.47 views

CVE-2020-26713

REDCap 10.3.4 contains a reflected XSS in the ToDoList function via the sort parameter. User-submitted data is returned unescaped in the response, enabling credential/session information theft or privilege abuse. No remediation details are provided in the supplied documents.

6.1CVSS6.2AI score0.01171EPSS
CVE
CVE
added 2024/03/06 12:0 a.m.47 views

CVE-2023-38825

Summary: CVE-2023-38825 is a SQL injection vulnerability in Vanderbilt REDCap prior to v13.8.0, exposed via the MyCapMobileApp/update.php password-reset endpoint. Affected software: Vanderbilt REDCap (pre-13.8.0). Root cause/impact: improper input handling in the password-reset path allows a remo...

9.8CVSS7.4AI score0.00952EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.46 views

CVE-2012-6566

CVE-2012-6566 describes a cross-site scripting (XSS) vulnerability in REDCap prior to 4.14.2 that allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The affected software is REDCap; the root cause is an XSS flaw in versions before 4.14.2. Exploitation details ...

4.3CVSS5.8AI score0.01379EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.45 views

CVE-2013-4609

REDCap exposes a logic-evaluation weakness: versions before 5.0.4 and 5.1.x before 5.1.3 do not reject undocumented syntax in branching logic and calculations, enabling remote authenticated users to bypass access controls via the Online Designer or Data Dictionary upload (demonstrated by an eval ...

6.5CVSS6.5AI score0.0151EPSS
CVE
CVE
added 2019/08/21 6:14 p.m.42 views

CVE-2019-15127

CVE-2019-15127 affects REDCap prior to 9.3.0. The issue is an XSS vulnerability on the Data Import Tool page, exploitable by a CSV data import file and affecting non-administrator accounts. The description in public records does not specify the underlying root cause or CVE exploit vectors beyond ...

5.4CVSS5.2AI score0.00531EPSS
CVE
CVE
added 2013/06/17 10:0 a.m.39 views

CVE-2013-4611

REDCap before 5.1.1 is affected by CVE-2013-4611. The connected documents describe multiple unspecified vulnerabilities that allow remote attackers to have an unknown impact via the Online Designer page or the Manage Survey Participants page. The exact root cause, affected subcomponents, mitigati...

10CVSS7.1AI score0.0294EPSS
CVE
CVE
added 2026/01/02 12:0 a.m.12 views

CVE-2024-55374

REDCap 14.3.13 is affected by a username-enumeration vulnerability caused by an observable discrepancy between login attempts. The issue allows an attacker to enumerate valid usernames. Public details on exploitability, affected versions beyond 14.3.13, and a confirmed fix are not provided in the...

5.3CVSS6.5AI score0.0024EPSS