cbcvebase.

Vanderbilt Redcap vulnerabilities

40 known vulnerabilities affecting vanderbilt/redcap.

Total CVEs
40
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH6MEDIUM28LOW2

Vulnerabilities

Page 2 of 2
CVE-2024-56312P4MEDIUMCVSS 5.4≤ 14.9.62024-12-22
CVE-2024-56312 [MEDIUM] CWE-79 CVE-2024-56312: A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14 A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
nvd
CVE-2024-56314P4MEDIUMCVSS 5.4≤ 14.9.62024-12-22
CVE-2024-56314 [MEDIUM] CWE-79 CVE-2024-56314: A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allow A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
nvd
CVE-2024-37395P4MEDIUMCVSS 5.4fixed in 14.2.12025-06-10
CVE-2024-37395 [MEDIUM] CWE-79 CVE-2024-37395: A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 all A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is
nvd
CVE-2020-26713P4MEDIUMCVSS 6.1v10.0.20v10.3.42021-01-12
CVE-2020-26713 [MEDIUM] CWE-79 CVE-2020-26713: REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The informa REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
nvd
CVE-2022-24127P4MEDIUMCVSS 5.4v12.0.112022-06-15
CVE-2022-24127 [MEDIUM] CWE-79 CVE-2022-24127: A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_sett A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the pag
nvd
CVE-2022-24004P4MEDIUMCVSS 5.4v12.0.112022-06-15
CVE-2022-24004 [MEDIUM] CWE-79 CVE-2022-24004: A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar
nvd
CVE-2024-56376P4MEDIUMCVSS 5.4v14.9.62025-01-09
CVE-2024-56376 [MEDIUM] CWE-79 CVE-2024-56376: A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
nvd
CVE-2024-56313P4MEDIUMCVSS 5.4≤ 14.9.62024-12-22
CVE-2024-56313 [MEDIUM] CWE-79 CVE-2024-56313: A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 a A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
nvd
CVE-2024-37396P4MEDIUMCVSS 5.4fixed in 14.2.12025-06-10
CVE-2024-37396 [MEDIUM] CWE-79 CVE-2024-37396: A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows a A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is
nvd
CVE-2025-23110P4MEDIUMCVSS 6.1v14.9.62025-01-10
CVE-2025-23110 [MEDIUM] CWE-79 CVE-2025-23110: An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in th An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatica
nvd
CVE-2019-15127P4MEDIUMCVSS 5.4fixed in 9.3.02019-08-21
CVE-2019-15127 [MEDIUM] CWE-79 CVE-2019-15127: REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool pa REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
nvd
CVE-2023-37798P4MEDIUMCVSS 5.4≤ 13.1.352023-09-07
CVE-2023-37798 [MEDIUM] CWE-79 CVE-2023-37798: A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Van A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter.
nvd
CVE-2020-27358P4MEDIUMCVSS 4.3≥ 8.11.6, < 10.02020-11-02
CVE-2020-27358 [MEDIUM] CWE-276 CVE-2020-27358: An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that al An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_i
nvd
CVE-2019-17121P4MEDIUMCVSS 5.4fixed in 9.3.42019-10-04
CVE-2019-17121 [MEDIUM] CWE-79 CVE-2019-17121: REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Cust REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
nvd
CVE-2013-4612P4MEDIUMCVSS 4.3≤ 5.0.6v4.14.0+4 more2013-06-17
CVE-2013-4612 [MEDIUM] CWE-79 CVE-2013-4612: Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules.
nvd
CVE-2012-6566P4MEDIUMCVSS 4.3≤ 4.14.1v4.14.02013-06-17
CVE-2012-6566 [MEDIUM] CWE-79 CVE-2012-6566: Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject a Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2012-6564P4MEDIUMCVSS 4.3≤ 4.14.4v4.14.0+3 more2013-06-17
CVE-2012-6564 [MEDIUM] CWE-79 CVE-2012-6564: Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject a Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2013-4608P4MEDIUMCVSS 4.3≤ 5.0.5v4.14.0+4 more2013-06-17
CVE-2013-4608 [MEDIUM] CWE-79 CVE-2013-4608: Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject ar Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page.
nvd
CVE-2023-37361P4LOWCVSS 2.7fixed in 12.3.2fixed in 12.0.262023-07-25
CVE-2023-37361 [LOW] CWE-89 CVE-2023-37361: REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, ap REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
nvd
CVE-2012-6565P4LOWCVSS 3.5≤ 4.14.2v4.14.0+1 more2013-06-17
CVE-2012-6565 [LOW] CWE-79 CVE-2012-6565: Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users t Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels.
nvd
Vanderbilt Redcap vulnerabilities | cvebase