Redcap Security Vulnerabilities and Issues — Redcap CVE List

Lucene search

VanderbiltRedcap

8 matches found

CVE•added 2025/01/10 10:15 p.m.•49 views

CVE-2025-23112

An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.

6.1CVSS4.7AI score0.00046EPSS

CVE•added 2025/01/10 10:15 p.m.•47 views

CVE-2025-23110

An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-sub...

6.1CVSS5.8AI score0.00037EPSS

CVE•added 2025/01/10 10:15 p.m.•44 views

CVE-2025-23111

An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. T...

6.1CVSS6.6AI score0.00036EPSS

CVE•added 2022/10/12 1:15 p.m.•42 views

CVE-2022-42715

A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.

6.1CVSS6.2AI score0.00167EPSS

CVE•added 2017/07/18 2:29 p.m.•40 views

CVE-2017-10962

REDCap before 7.5.1 has XSS via the query string.

6.1CVSS6AI score0.0024EPSS

CVE•added 2024/09/02 5:15 a.m.•37 views

CVE-2024-45527

REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.

6.1CVSS7AI score0.00047EPSS

CVE•added 2013/06/17 11:38 a.m.•33 views

CVE-2013-4609

REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval ca...

6.5CVSS6.5AI score0.00191EPSS

CVE•added 2021/01/12 3:15 p.m.•29 views

CVE-2020-26713

REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information...

6.1CVSS6.2AI score0.00397EPSS