CVE-2024-56377

Published: Jan 9, 2025Modified: Jan 16, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.

Affected (1)

Products: Vanderbilt: Redcap

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vanderbilt Redcap	Version 14.9.6

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

Source: cve@mitre.org

Release Notes

Timeline

No history available yet.