cbcvebase.

Vanderbilt Redcap vulnerabilities

40 known vulnerabilities affecting vanderbilt/redcap.

Total CVEs
40
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH6MEDIUM28LOW2

Vulnerabilities

Page 1 of 2
CVE-2021-42136P3CRITICALCVSS 9.0PoCfixed in 11.4.02022-04-13
CVE-2021-42136 [CRITICAL] CWE-79 CVE-2021-42136: A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrat
nvd
CVE-2020-26712P3CRITICALCVSS 9.8v10.0.20v10.3.42021-01-12
CVE-2020-26712 [CRITICAL] CWE-89 CVE-2020-26712: REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. Th REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
nvd
CVE-2017-7351P3HIGHCVSS 8.8≥ 7.0.0, < 7.0.112018-02-08
CVE-2017-7351 [HIGH] CWE-89 CVE-2017-7351: A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing sub A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
nvd
CVE-2019-13029P4MEDIUMCVSS 4.8PoC≥ 8.0, < 8.10.2≥ 9.0, < 9.1.22019-07-11
CVE-2019-13029 [MEDIUM] CWE-79 CVE-2019-13029: Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 b Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
nvd
CVE-2024-56310P3HIGHCVSS 8.8≤ 14.9.62024-12-22
CVE-2024-56310 [HIGH] CWE-352 CVE-2024-56310: REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross- REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from
nvd
CVE-2024-56311P3HIGHCVSS 8.8≤ 14.9.62024-12-22
CVE-2024-56311 [HIGH] CWE-352 CVE-2024-56311: REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protection
nvd
CVE-2013-4611P3CRITICALCVSS 10.0≤ 5.1.0v4.14.0+4 more2013-06-17
CVE-2013-4611 [CRITICAL] CVE-2013-4611: Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknow Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page.
nvd
CVE-2019-14937P3HIGHCVSS 7.5≥ 8.11.5, < 9.3.02019-08-17
CVE-2019-14937 [HIGH] CWE-89 CVE-2019-14937: REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parame REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
nvd
CVE-2025-23113P3HIGHCVSS 8.8v14.9.62025-01-10
CVE-2025-23113 [HIGH] CWE-352 CVE-2025-23113: An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the ale An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a
nvd
CVE-2013-4610P3CRITICALCVSS 10.0≤ 5.0.2v4.14.0+4 more2013-06-17
CVE-2013-4610 [CRITICAL] CVE-2013-4610: Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors.
nvd
CVE-2023-38825P3MEDIUMCVSS 6.5fixed in 13.8.02024-03-21
CVE-2023-38825 [MEDIUM] CWE-89 CVE-2023-38825: SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php.
nvd
CVE-2017-10961P3HIGHCVSS 8.8≤ 7.5.02017-07-18
CVE-2017-10961 [HIGH] CWE-352 CVE-2017-10961: REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload componen REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
nvd
CVE-2013-4609P4MEDIUMCVSS 6.5≤ 5.0.3v4.14.0+4 more2013-06-17
CVE-2013-4609 [MEDIUM] CWE-264 CVE-2013-4609: REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branch REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
nvd
CVE-2024-55374P4MEDIUMCVSS 5.3v14.3.132026-01-02
CVE-2024-55374 [MEDIUM] CWE-203 CVE-2024-55374: REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between lo REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.
nvd
CVE-2025-23111P4MEDIUMCVSS 6.1v14.9.62025-01-10
CVE-2025-23111 [MEDIUM] CWE-79 CVE-2025-23111: An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposi An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed wit
nvd
CVE-2022-42715P4MEDIUMCVSS 6.1fixed in 12.4.18≥ 12.5.0, < 12.5.112022-10-12
CVE-2022-42715 [MEDIUM] CWE-79 CVE-2022-42715: A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
nvd
CVE-2025-23112P4MEDIUMCVSS 6.1v14.9.62025-01-10
CVE-2025-23112 [MEDIUM] CWE-79 CVE-2025-23112: An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows a An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
nvd
CVE-2024-45527P4MEDIUMCVSS 6.1v14.7.02024-09-02
CVE-2024-45527 [MEDIUM] CWE-352 CVE-2024-45527: REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.
nvd
CVE-2024-37394P4MEDIUMCVSS 5.4fixed in 14.2.12025-06-10
CVE-2024-37394 [MEDIUM] CWE-79 CVE-2024-37394: A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recomme
nvd
CVE-2024-56377P4MEDIUMCVSS 5.4v14.9.62025-01-09
CVE-2024-56377 [MEDIUM] CWE-79 CVE-2024-56377: A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authentic A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is execu
nvd
Vanderbilt Redcap vulnerabilities | cvebase