CVE-2024-37396

Published: Jun 10, 2025Modified: Jun 16, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.

Affected (1)

Products: Vanderbilt: Redcap

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vanderbilt Redcap	Before 14.2.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

Source: cve@mitre.org

Release Notes

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.