CVE-2024-37395

Published: Jun 10, 2025Modified: Jun 16, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

Affected (1)

Products: Vanderbilt: Redcap

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vanderbilt Redcap	Before 14.2.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

Source: cve@mitre.org

Product

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.