Vulnerabilites related to vanderbilt - redcap
Vulnerability from fkie_nvd
Published
2019-08-17 17:15
Modified
2024-11-21 04:27
Severity ?
Summary
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE852A90-17E8-48F1-8AB7-9926B9091574",
"versionEndExcluding": "9.3.0",
"versionStartIncluding": "8.11.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\u0027s login sessionid from the database, and then re-login into REDCap to compromise all data."
},
{
"lang": "es",
"value": "REDCap versiones anteriores a 9.3.0, permite la inyecci\u00f3n SQL basada en tiempo en el evento de edici\u00f3n de calendario por medio del par\u00e1metro cal_id, tales como cal_id=55 y sleep(3) en el archivo Calendar/calendar_popup_ajax.php. El atacante puede obtener un sessionid del inicio de sesi\u00f3n de un usuario desde la base de datos y luego volver a iniciar sesi\u00f3n en REDCap para comprometer todos los datos."
}
],
"id": "CVE-2019-14937",
"lastModified": "2024-11-21T04:27:43.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-17T17:15:10.057",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:55
Severity ?
Summary
Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.6 | |
| project-redcap | redcap | 5.1.0 | |
| project-redcap | redcap | 5.1.1 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7B2AB13A-9C46-4F92-B0D4-96358CF0FDC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA90F46D-9A07-47ED-9A61-C82CBF823D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDCFE16-45B4-4ADA-AD2D-CBD7706A0C23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77B524B5-416A-4082-B36E-55F22F470AFE",
"versionEndIncluding": "5.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en la utilidad Data Search en los formularios de entrada de datos de REDCap anterior a v5.0.3 y v5.1.x anterior a v5.1.2 tiene un impacto y vectores de ataque desconocidos."
}
],
"id": "CVE-2013-4610",
"lastModified": "2024-11-21T01:55:55.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-06-17T11:38:53.590",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:55
Severity ?
Summary
Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.0.3 | |
| project-redcap | redcap | 5.0.4 | |
| project-redcap | redcap | 5.0.5 | |
| project-redcap | redcap | 5.0.6 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5241C18D-9714-4DEA-9552-55DD3FBE4613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "220E8227-7D41-48A9-9D61-BEB47EB19FCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0D82141E-A1F3-474C-86CE-C7409C4E445F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7B2AB13A-9C46-4F92-B0D4-96358CF0FDC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C765A45C-FBBA-4AA0-97BB-9945A8456072",
"versionEndIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades no especificadas en REDCap anterior a v5.1.1 permite a atacantes remotos tener un impacto no determinado a trav\u00e9s de vectores que implican (1) la pagina de Online Designer o (2) la pagina de Manage Survey Participants."
}
],
"id": "CVE-2013-4611",
"lastModified": "2024-11-21T01:55:55.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-06-17T11:38:53.613",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-11 19:15
Modified
2024-11-21 04:24
Severity ?
Summary
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://gitlab.com/snippets/1874216 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitlab.com/snippets/1874216 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D11F327-2589-4674-B592-34204181109B",
"versionEndExcluding": "8.10.2",
"versionStartIncluding": "8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A78AEDD-608F-4583-BF89-92A3066F7EA1",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\u0027s web browser."
},
{
"lang": "es",
"value": "M\u00faltiples problemas de tipo cross-site-scripting (XSS) almacenados en el panel de administraci\u00f3n y el sistema de encuestas en REDCap versiones 8 anteriores a 8.10.20 y versiones 9 anteriores a 9.1.2, permiten a un atacante inyectar c\u00f3digo HTML o JavaScript malicioso y arbitrario en el navegador web de un usuario."
}
],
"id": "CVE-2019-13029",
"lastModified": "2024-11-21T04:24:04.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-11T19:15:13.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gitlab.com/snippets/1874216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gitlab.com/snippets/1874216"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-08 15:29
Modified
2024-11-21 03:31
Severity ?
Summary
A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4E4E26B-01A3-472F-B4CA-0944E7B86212",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload."
},
{
"lang": "es",
"value": "Existe un problema de inyecci\u00f3n SQL en un manipulador de subida de archivos en REDCap, en versiones 7.x anteriores a la 7.0.11, mediante una subcadena final a SendITController:upload."
}
],
"id": "CVE-2017-7351",
"lastModified": "2024-11-21T03:31:40.143",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-08T15:29:00.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-12 15:15
Modified
2024-11-21 05:20
Severity ?
Summary
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 10.0.20 | |
| vanderbilt | redcap | 10.3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.0.20:*:*:*:lts:*:*:*",
"matchCriteriaId": "453770EC-9CBC-42AF-94A2-128E9EAC2367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.3.4:*:*:*:-:*:*:*",
"matchCriteriaId": "BBFEBD85-9056-457B-929C-784EE838A146",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases."
},
{
"lang": "es",
"value": "REDCap versi\u00f3n 10.3.4, contiene una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n ToDoList por medio del par\u00e1metro sort.\u0026#xa0;La aplicaci\u00f3n utiliza la adici\u00f3n de una cadena de informaci\u00f3n del usuario enviado que no est\u00e1 bien comprobada en la consulta de la base de datos, resultando en una vulnerabilidad de inyecci\u00f3n SQL donde un atacante puede explotar y comprometer todas las bases de datos"
}
],
"id": "CVE-2020-26712",
"lastModified": "2024-11-21T05:20:16.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-12T15:15:13.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-12 13:15
Modified
2024-11-21 07:25
Severity ?
Summary
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss | Exploit, Third Party Advisory | |
| cve@mitre.org | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99E46B49-3C2C-4FA8-85E2-921321D4F318",
"versionEndExcluding": "12.4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA65CD2E-81E9-42A1-B8DE-96C0A7BAEDD4",
"versionEndExcluding": "12.5.11",
"versionStartIncluding": "12.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts \u0026 Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo XSS reflejado en REDCap versiones anteriores a 12.04.18, en la funcionalidad Alerts \u0026amp; Notifications upload. Un archivo CSV dise\u00f1ado, cuando es cargado, desencadena una ejecuci\u00f3n arbitraria de c\u00f3digo JavaScript"
}
],
"id": "CVE-2022-42715",
"lastModified": "2024-11-21T07:25:12.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-12T13:15:10.833",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17727622-4793-4DCF-8991-A1FF3F2EC1A3",
"versionEndIncluding": "4.14.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v4.14.3 permite a los usuarios remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s de caracteres may\u00fasculas en los eventos de JavaScript dentro de las etiquetas definidas por el usuario."
}
],
"id": "CVE-2012-6565",
"lastModified": "2024-11-21T01:46:23.393",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:48.870",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-25 01:15
Modified
2024-11-21 08:11
Severity ?
Summary
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://trustwave.com | Not Applicable | |
| cve@mitre.org | https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://trustwave.com | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A617CBA8-C5BE-4043-9B80-03C66F1447CD",
"versionEndExcluding": "12.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "95A5B3F3-8497-4CFE-97A1-FAAF2E589777",
"versionEndExcluding": "12.0.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization."
}
],
"id": "CVE-2023-37361",
"lastModified": "2024-11-21T08:11:34.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-25T01:15:09.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://trustwave.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://trustwave.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:55
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.0.3 | |
| project-redcap | redcap | 5.0.4 | |
| project-redcap | redcap | 5.0.5 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5241C18D-9714-4DEA-9552-55DD3FBE4613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "220E8227-7D41-48A9-9D61-BEB47EB19FCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0D82141E-A1F3-474C-86CE-C7409C4E445F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82D2498A-677C-41B3-8966-0DC701401F88",
"versionEndIncluding": "5.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de cross-site scripting (XSS) en REDCap anterior a v5.1.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores no especificados implicando diferentes m\u00f3dulos."
}
],
"id": "CVE-2013-4612",
"lastModified": "2024-11-21T01:55:55.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:53.637",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:55
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.0.3 | |
| project-redcap | redcap | 5.0.4 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5241C18D-9714-4DEA-9552-55DD3FBE4613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "220E8227-7D41-48A9-9D61-BEB47EB19FCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "930C4C7A-A038-4045-AAA1-67E8B6CE7C12",
"versionEndIncluding": "5.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View \u0026 Descriptive Stats page."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v5.0.6 permite a atacantes remotos inyectar secuencias arbitrarias de comandos web o HTML a trav\u00e9s de vectores que involucran a el Graphical Data View y la pagina Descriptive Stats."
}
],
"id": "CVE-2013-4608",
"lastModified": "2024-11-21T01:55:55.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:53.433",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-15 19:15
Modified
2024-11-21 06:49
Severity ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 12.0.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:12.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F352AFB1-6A9E-4FE9-80AF-195DA07E0DAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown."
},
{
"lang": "es",
"value": "Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en el archivo Messenger/messenger_ajax.php en REDCap versi\u00f3n 12.0.11. Este problema permite a cualquier usuario autenticado inyectar c\u00f3digo arbitrario en el campo del t\u00edtulo de Messenger (tambi\u00e9n se conoce como new_title) cuando es editada una conversaci\u00f3n existente. La carga \u00fatil es ejecutada en el navegador de cualquier participante de la conversaci\u00f3n con la barra lateral mostrada"
}
],
"id": "CVE-2022-24004",
"lastModified": "2024-11-21T06:49:38.347",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-15T19:15:10.790",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-12 15:15
Modified
2024-11-21 05:20
Severity ?
Summary
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vuongdq54/RedCap | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 10.0.20 | |
| vanderbilt | redcap | 10.3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.0.20:*:*:*:lts:*:*:*",
"matchCriteriaId": "453770EC-9CBC-42AF-94A2-128E9EAC2367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:10.3.4:*:*:*:-:*:*:*",
"matchCriteriaId": "BBFEBD85-9056-457B-929C-784EE838A146",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts."
},
{
"lang": "es",
"value": "REDCap versi\u00f3n 10.3.4, contiene una vulnerabilidad de tipo XSS en la funci\u00f3n ToDoList con el par\u00e1metro sort.\u0026#xa0;La informaci\u00f3n enviada por el usuario es inmediatamente devuelta en la respuesta y no se escapa, conllevando a una vulnerabilidad de tipo XSS reflejado.\u0026#xa0;Los atacantes pueden explotar vulnerabilidades para robar informaci\u00f3n de la sesi\u00f3n de inicio de sesi\u00f3n o tomar prestados derechos de usuario para llevar a cabo actos no autorizados"
}
],
"id": "CVE-2020-26713",
"lastModified": "2024-11-21T05:20:16.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-12T15:15:13.843",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vuongdq54/RedCap"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-09 23:15
Modified
2025-01-16 21:10
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) almacenado en los t\u00edtulos de las encuestas de REDCap 14.9.6 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo T\u00edtulo de la encuesta o en las Instrucciones de la encuesta. Cuando un usuario recibe una encuesta y hace clic en cualquier parte de la p\u00e1gina de la encuesta para ingresar datos, se ejecuta el payload manipulado (que se ha inyectado en todos los campos de la encuesta), lo que potencialmente permite la ejecuci\u00f3n de web scripts arbitrarios."
}
],
"id": "CVE-2024-56377",
"lastModified": "2025-01-16T21:10:25.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-09T23:15:08.173",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-21 19:15
Modified
2024-11-21 04:28
Severity ?
Summary
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89D0694B-C54F-4744-83FB-D7F4EDC3F87C",
"versionEndExcluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file."
},
{
"lang": "es",
"value": "REDCap anterior a la versi\u00f3n 9.3.0 permite ataques XSS contra cuentas que no son de administrador en la p\u00e1gina Herramienta de importaci\u00f3n de datos a trav\u00e9s de un archivo de importaci\u00f3n de datos CSV."
}
],
"id": "CVE-2019-15127",
"lastModified": "2024-11-21T04:28:06.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-21T19:15:13.980",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-13 16:15
Modified
2024-11-21 06:27
Severity ?
Summary
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.project-redcap.org/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.project-redcap.org/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B53CE43E-0282-4628-9EC5-5C17F89712BB",
"versionEndExcluding": "11.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client\u0027s browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la funcionalidad Missing Data Codes de REDCap versi\u00f3n 11.2.5, permite a atacantes remotos ejecutar c\u00f3digo JavaScript en el navegador del cliente al almacenar dicho c\u00f3digo como un valor de c\u00f3digo de datos perdidos. Esto puede ser aprovechado para ejecutar un ataque de tipo Cross-Site Request Forgery para escalar privilegios a administrador"
}
],
"id": "CVE-2021-42136",
"lastModified": "2024-11-21T06:27:20.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-13T16:15:09.563",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.project-redcap.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.project-redcap.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A198B961-0814-4C71-AD2E-8F61E5220F60",
"versionEndIncluding": "4.14.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v4.14.5 permite a atacantes remotos a inyectar secuencias de comandos Web o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-6564",
"lastModified": "2024-11-21T01:46:23.250",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:48.833",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-04 03:15
Modified
2024-11-21 04:31
Severity ?
Summary
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "181A3B66-344F-4AB0-BCFF-B2EAC05B94DF",
"versionEndExcluding": "9.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.4 has XSS on the Customize \u0026 Manage Locking/E-signatures page via Lock Record Custom Text values."
},
{
"lang": "es",
"value": "REDCap versiones anteriores a 9.3.4, presenta una vulnerabilidad de tipo XSS en la p\u00e1gina Customize \u0026amp; Manage Locking/E-signatures por medio de valores Lock Record Custom Text."
}
],
"id": "CVE-2019-17121",
"lastModified": "2024-11-21T04:31:44.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-04T03:15:10.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-07 19:15
Modified
2024-11-21 08:12
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "40893ACC-652C-4691-8BEB-D3AFBBDE63FD",
"versionEndIncluding": "13.1.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en la nueva funci\u00f3n de creaci\u00f3n de proyectos REDCap de Vanderbilt REDCap 13.1.35 permite a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyecci\u00f3n de un payload manipulado en el par\u00e1metro \"project title\"."
}
],
"id": "CVE-2023-37798",
"lastModified": "2024-11-21T08:12:16.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-07T19:15:47.510",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://redcap.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://vanderbilt.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://redcap.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://vanderbilt.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-18 14:29
Modified
2024-11-21 03:06
Severity ?
Summary
REDCap before 7.5.1 has XSS via the query string.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8459A929-646B-481D-9C23-78818C7D8FE6",
"versionEndIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has XSS via the query string."
},
{
"lang": "es",
"value": "REDCap anterior a versi\u00f3n 7.5.1, presenta un problema de tipo XSS por medio de la cadena de consulta."
}
],
"id": "CVE-2017-10962",
"lastModified": "2024-11-21T03:06:50.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-18T14:29:00.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-09 23:15
Modified
2025-01-16 21:10
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56376/README.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 14.9.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross Site Scripting (XSS) almacenado en el mensajero integrado de REDCap 14.9.6 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo de mensajes. Cuando un usuario hace clic en el mensaje recibido, se ejecuta el payload manipulado, lo que potencialmente permite la ejecuci\u00f3n de web scripts arbitrarios."
}
],
"id": "CVE-2024-56376",
"lastModified": "2025-01-16T21:10:10.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-09T23:15:07.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56376/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-02 21:15
Modified
2024-11-21 05:21
Severity ?
Summary
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/seb1055/cve-2020-27358-27359 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Exploit, Vendor Advisory | |
| cve@mitre.org | https://www.ruse.tech/blog/38 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/seb1055/cve-2020-27358-27359 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.ruse.tech/blog/38 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51C25902-74A8-42CF-A9EA-10E66B81E466",
"versionEndExcluding": "10.0",
"versionStartIncluding": "8.11.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger\u0027s CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another\u0027s conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey\u0026thread_id={THREAD_ID}."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en REDCap versiones 8.11.6 hasta 9.x anteriores a 10. La funcionalidad CSV de messenger (que permite a usuarios exportar sus hilos de conversaci\u00f3n como CSV) permite a usuarios no privilegiados exportar los hilos de conversaci\u00f3n de los dem\u00e1s al cambiar el par\u00e1metro thread_id en la petici\u00f3n para el endpoint Messenger/messenger_download_csv.php?title=Hey\u0026amp;thread_id={THREAD_ID}"
}
],
"id": "CVE-2020-27358",
"lastModified": "2024-11-21T05:21:03.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-02T21:15:28.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.ruse.tech/blog/38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.ruse.tech/blog/38"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:55
Severity ?
Summary
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| project-redcap | redcap | 4.13.18 | |
| project-redcap | redcap | 4.14.5 | |
| project-redcap | redcap | 4.14.6 | |
| project-redcap | redcap | 4.15.0 | |
| project-redcap | redcap | 4.15.1 | |
| project-redcap | redcap | 4.15.2 | |
| project-redcap | redcap | 4.15.3 | |
| project-redcap | redcap | 4.15.4 | |
| project-redcap | redcap | 5.0.0 | |
| project-redcap | redcap | 5.0.1 | |
| project-redcap | redcap | 5.0.2 | |
| project-redcap | redcap | 5.1.0 | |
| project-redcap | redcap | 5.1.1 | |
| project-redcap | redcap | 5.1.2 | |
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 | |
| vanderbilt | redcap | 4.14.1 | |
| vanderbilt | redcap | 4.14.2 | |
| vanderbilt | redcap | 4.14.3 | |
| vanderbilt | redcap | 4.14.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "58C92B2E-A9AF-43B4-B1E4-7A873AF1DEAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DA4E7E65-1147-4620-B31F-617D34822E9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.14.6:*:*:*:*:*:*:*",
"matchCriteriaId": "00CED35E-7640-44D4-B5A4-EED2D0163C79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61C3C73D-1818-4DB7-A806-FC999EADE7E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8347F389-9331-4689-B52A-87ABFFF02141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B739D2A5-46DF-4CE8-9BAB-6BB94743D21D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7969B764-47A6-4AC7-B18E-236FF25C6552",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:4.15.4:*:*:*:*:*:*:*",
"matchCriteriaId": "26E48768-FDF1-4A54-8F0E-EC4732B55D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F62B324D-6F70-41B8-B3AC-CDA6D4C3AB25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7712A887-BB81-4FAE-9B76-FB9886BE41D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "817D8D01-B8E1-4F86-9ACE-0CAF87DA13A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AA90F46D-9A07-47ED-9A61-C82CBF823D55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDCFE16-45B4-4ADA-AD2D-CBD7706A0C23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:project-redcap:redcap:5.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A84CE53C-EFC2-4DAA-B3A5-E165F9AE56FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F97C5D09-EDA5-4FDC-B93B-65A7BBE87395",
"versionEndIncluding": "5.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "789C86D0-A11F-4C40-950A-5A617AD7C23A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C366E672-CD77-4932-80D2-09A61B3B1A8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F7055FD2-C107-4D23-8B8C-28607C0C0ADA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3242EC5F-0091-4097-9C6E-ADE5100017AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call."
},
{
"lang": "es",
"value": "REDCap anterior a v5.0.4 y v5.1.x anterior a v5.1.3 no rechaza cierta sintaxis no documentada dentro de la l\u00f3gica de bifurcaci\u00f3n y c\u00e1lculos, lo que permite a usuarios autenticados remotamente evitar las restricciones de acceso establecidas a trav\u00e9s de (1) el Online Designer o (2) el Data Dictionary Upload, como se demostr\u00f3 por una llamada eval."
}
],
"id": "CVE-2013-4609",
"lastModified": "2024-11-21T01:55:55.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-06-17T11:38:53.570",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-06-17 11:38
Modified
2024-11-21 01:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * | |
| vanderbilt | redcap | 4.14.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "807A465D-4AA0-4AD5-B451-E5F241829FB8",
"versionEndIncluding": "4.14.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:4.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D293B038-228E-42B6-BC99-9BDFCD8D562C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site scripting (XSS) en REDCap anterior a v4.14.2 permite a atacantes remotos a inyectar secuencias de comandos Web o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2012-6566",
"lastModified": "2024-11-21T01:46:23.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-06-17T11:38:48.893",
"references": [
{
"source": "cve@mitre.org",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-15 19:15
Modified
2024-11-21 06:49
Severity ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | 12.0.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:12.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F352AFB1-6A9E-4FE9-80AF-195DA07E0DAE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page."
},
{
"lang": "es",
"value": "Se ha detectado una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas en el archivo ProjectGeneral/edit_project_settings.php en REDCap versi\u00f3n 12.0.11. Este problema permite a cualquier usuario con permisos de administraci\u00f3n de proyectos inyectar c\u00f3digo arbitrario en el campo del t\u00edtulo del proyecto (app_title) cuando es editado un proyecto existente. La carga \u00fatil es reflejada entonces en la etiqueta de t\u00edtulo de la p\u00e1gina"
}
],
"id": "CVE-2022-24127",
"lastModified": "2024-11-21T06:49:51.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-15T19:15:10.840",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-18 14:29
Modified
2024-11-21 03:06
Severity ?
Summary
REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanderbilt | redcap | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8459A929-646B-481D-9C23-78818C7D8FE6",
"versionEndIncluding": "7.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components."
},
{
"lang": "es",
"value": "REDCap anterior a versi\u00f3n 7.5.1, presenta un problema de tipo CSRF en la funci\u00f3n deletion de los componentes File Repository y File Upload."
}
],
"id": "CVE-2017-10961",
"lastModified": "2024-11-21T03:06:50.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-18T14:29:00.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2013-4609
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 01:05
Severity ?
EPSS score ?
Summary
REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4609",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 5.0.4 and 5.1.x before 5.1.3 does not reject certain undocumented syntax within branching logic and calculations, which allows remote authenticated users to bypass intended access restrictions via (1) the Online Designer or (2) the Data Dictionary upload, as demonstrated by an eval call."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4609",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T01:05:49.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4612
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 00:20
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4612",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in REDCap before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving different modules."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4612",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T00:20:53.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-6566
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-16 18:43
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:00.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6566",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6566",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-16T18:43:39.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-17121
Vulnerability from cvelistv5
Published
2019-10-04 02:29
Modified
2024-08-05 01:33
Severity ?
EPSS score ?
Summary
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:33:17.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.4 has XSS on the Customize \u0026 Manage Locking/E-signatures page via Lock Record Custom Text values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-04T02:29:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 9.3.4 has XSS on the Customize \u0026 Manage Locking/E-signatures page via Lock Record Custom Text values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17121",
"datePublished": "2019-10-04T02:29:27",
"dateReserved": "2019-10-04T00:00:00",
"dateUpdated": "2024-08-05T01:33:17.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-6564
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-16 16:28
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:01.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6564",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-16T16:28:30.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37798
Vulnerability from cvelistv5
Published
2023-09-07 00:00
Modified
2024-09-26 17:42
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://redcap.com"
},
{
"tags": [
"x_transferred"
],
"url": "http://vanderbilt.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37798",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:42:24.276085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T17:42:52.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-07T18:23:08.802299",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://redcap.com"
},
{
"url": "http://vanderbilt.com"
},
{
"url": "https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-37798",
"datePublished": "2023-09-07T00:00:00",
"dateReserved": "2023-07-10T00:00:00",
"dateUpdated": "2024-09-26T17:42:52.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15127
Vulnerability from cvelistv5
Published
2019-08-21 18:14
Modified
2024-08-05 00:34
Severity ?
EPSS score ?
Summary
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-21T18:14:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "CONFIRM",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15127",
"datePublished": "2019-08-21T18:14:38",
"dateReserved": "2019-08-17T00:00:00",
"dateUpdated": "2024-08-05T00:34:53.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-7351
Vulnerability from cvelistv5
Published
2018-02-08 15:00
Modified
2024-08-05 15:56
Severity ?
EPSS score ?
Summary
A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-08T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7351",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2017-7351-redcap-7-0-0-7-0-10-sql-injection/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7351",
"datePublished": "2018-02-08T15:00:00",
"dateReserved": "2017-03-30T00:00:00",
"dateUpdated": "2024-08-05T15:56:36.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-56377
Vulnerability from cvelistv5
Published
2025-01-09 00:00
Modified
2025-01-10 16:59
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56377",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T16:58:33.284530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T16:59:00.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T23:02:37.249Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56377",
"datePublished": "2025-01-09T00:00:00",
"dateReserved": "2024-12-22T00:00:00",
"dateUpdated": "2025-01-10T16:59:00.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10961
Vulnerability from cvelistv5
Published
2017-07-18 14:00
Modified
2024-08-05 17:57
Severity ?
EPSS score ?
Summary
REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.projectredcap.org/articles/13/changelog-standard-release.html | x_refsource_MISC | |
| https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:56.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10961",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.projectredcap.org/articles/13/changelog-standard-release.html",
"refsource": "MISC",
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"name": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae",
"refsource": "MISC",
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10961",
"datePublished": "2017-07-18T14:00:00",
"dateReserved": "2017-07-05T00:00:00",
"dateUpdated": "2024-08-05T17:57:56.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24127
Vulnerability from cvelistv5
Published
2022-06-15 18:16
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T18:16:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24127",
"datePublished": "2022-06-15T18:16:28",
"dateReserved": "2022-01-29T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4610
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 00:21
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4610",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown impact and remote attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4610",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T00:21:36.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-23113
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:35
Severity ?
EPSS score ?
Summary
An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:35:08.080207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:35:35.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. It has an action=myprojects\u0026logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:10:58.576Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_XXX/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23113",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:35:35.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-23112
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:47
Severity ?
EPSS score ?
Summary
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:46:48.285982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:47:26.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:07:19.788Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_ZZZZ/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23112",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:47:26.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37361
Vulnerability from cvelistv5
Published
2023-07-25 00:00
Modified
2024-10-23 19:57
Severity ?
EPSS score ?
Summary
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:34.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://trustwave.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T19:57:04.426353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T19:57:15.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://trustwave.com"
},
{
"url": "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-37361",
"datePublished": "2023-07-25T00:00:00",
"dateReserved": "2023-06-30T00:00:00",
"dateUpdated": "2024-10-23T19:57:15.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4611
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 04:19
Severity ?
EPSS score ?
Summary
Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4611",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving (1) the Online Designer page or (2) the Manage Survey Participants page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4611",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T04:19:21.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-42136
Vulnerability from cvelistv5
Published
2022-04-13 15:32
Modified
2024-08-04 03:30
Severity ?
EPSS score ?
Summary
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.project-redcap.org/ | x_refsource_MISC | |
| https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | x_refsource_MISC | |
| http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:37.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client\u0027s browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-15T21:02:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client\u0027s browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.project-redcap.org/",
"refsource": "MISC",
"url": "https://www.project-redcap.org/"
},
{
"name": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf",
"refsource": "MISC",
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"name": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42136",
"datePublished": "2022-04-13T15:32:56",
"dateReserved": "2021-10-11T00:00:00",
"dateUpdated": "2024-08-04T03:30:37.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14937
Vulnerability from cvelistv5
Published
2019-08-17 16:15
Modified
2024-08-05 00:34
Severity ?
EPSS score ?
Summary
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://projectredcap.org/resources/community/ | x_refsource_MISC | |
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_CONFIRM | |
| https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:52.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\u0027s login sessionid from the database, and then re-login into REDCap to compromise all data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-17T16:15:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://projectredcap.org/resources/community/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14937",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user\u0027s login sessionid from the database, and then re-login into REDCap to compromise all data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://projectredcap.org/resources/community/",
"refsource": "MISC",
"url": "https://projectredcap.org/resources/community/"
},
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "CONFIRM",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7",
"refsource": "MISC",
"url": "https://gist.github.com/hiennv20/6739606a4d0d25612f5139ec391060b7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14937",
"datePublished": "2019-08-17T16:15:20",
"dateReserved": "2019-08-11T00:00:00",
"dateUpdated": "2024-08-05T00:34:52.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-27358
Vulnerability from cvelistv5
Published
2020-10-31 16:18
Modified
2024-08-04 16:11
Severity ?
EPSS score ?
Summary
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC | |
| https://www.ruse.tech/blog/38 | x_refsource_MISC | |
| https://github.com/seb1055/cve-2020-27358-27359 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ruse.tech/blog/38"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger\u0027s CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another\u0027s conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey\u0026thread_id={THREAD_ID}."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-02T13:01:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ruse.tech/blog/38"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/seb1055/cve-2020-27358-27359"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27358",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger\u0027s CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another\u0027s conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey\u0026thread_id={THREAD_ID}."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://www.ruse.tech/blog/38",
"refsource": "MISC",
"url": "https://www.ruse.tech/blog/38"
},
{
"name": "https://github.com/seb1055/cve-2020-27358-27359",
"refsource": "MISC",
"url": "https://github.com/seb1055/cve-2020-27358-27359"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27358",
"datePublished": "2020-10-31T16:18:43",
"dateReserved": "2020-10-20T00:00:00",
"dateUpdated": "2024-08-04T16:11:36.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-23111
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:50
Severity ?
EPSS score ?
Summary
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:50:19.956136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:50:35.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:05:32.425Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_YYYY/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23111",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:50:35.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-26713
Vulnerability from cvelistv5
Published
2021-01-12 14:17
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC | |
| https://www.project-redcap.org/ | x_refsource_MISC | |
| https://github.com/vuongdq54/RedCap | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:05.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T14:17:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26713",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://www.project-redcap.org/",
"refsource": "MISC",
"url": "https://www.project-redcap.org/"
},
{
"name": "https://github.com/vuongdq54/RedCap",
"refsource": "MISC",
"url": "https://github.com/vuongdq54/RedCap"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26713",
"datePublished": "2021-01-12T14:17:55",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T15:56:05.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-56376
Vulnerability from cvelistv5
Published
2025-01-09 00:00
Modified
2025-01-10 14:59
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56376",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T14:56:58.897721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T14:59:11.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T23:03:55.418Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56376/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56376",
"datePublished": "2025-01-09T00:00:00",
"dateReserved": "2024-12-22T00:00:00",
"dateUpdated": "2025-01-10T14:59:11.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-42715
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2024-08-03 13:10
Severity ?
EPSS score ?
Summary
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:41.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_transferred"
],
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts \u0026 Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"url": "https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf"
},
{
"url": "https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-42715",
"datePublished": "2022-10-12T00:00:00",
"dateReserved": "2022-10-10T00:00:00",
"dateUpdated": "2024-08-03T13:10:41.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24004
Vulnerability from cvelistv5
Published
2022-06-15 18:16
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T18:16:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24004",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/",
"refsource": "MISC",
"url": "https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24004",
"datePublished": "2022-06-15T18:16:21",
"dateReserved": "2022-01-26T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10962
Vulnerability from cvelistv5
Published
2017-07-18 14:00
Modified
2024-08-05 17:57
Severity ?
EPSS score ?
Summary
REDCap before 7.5.1 has XSS via the query string.
References
| ▼ | URL | Tags |
|---|---|---|
| https://community.projectredcap.org/articles/13/changelog-standard-release.html | x_refsource_MISC | |
| https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:56.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "REDCap before 7.5.1 has XSS via the query string."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-18T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10962",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap before 7.5.1 has XSS via the query string."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.projectredcap.org/articles/13/changelog-standard-release.html",
"refsource": "MISC",
"url": "https://community.projectredcap.org/articles/13/changelog-standard-release.html"
},
{
"name": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae",
"refsource": "MISC",
"url": "https://gist.github.com/jordanpotti/fef4f1ada404d5ba7f88ab42e93cdaae"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10962",
"datePublished": "2017-07-18T14:00:00",
"dateReserved": "2017-07-05T00:00:00",
"dateUpdated": "2024-08-05T17:57:56.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-23110
Vulnerability from cvelistv5
Published
2025-01-10 00:00
Modified
2025-01-13 20:52
Severity ?
EPSS score ?
Summary
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanderbilt | REDCap |
Version: 14.9.6 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:52:08.758035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:52:26.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "REDCap",
"vendor": "Vanderbilt",
"versions": [
{
"status": "affected",
"version": "14.9.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "14.9.6",
"versionStartIncluding": "14.9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T22:03:30.880Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_VVVVVV/README.md"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-23110",
"datePublished": "2025-01-10T00:00:00",
"dateReserved": "2025-01-10T00:00:00",
"dateUpdated": "2025-01-13T20:52:26.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-6565
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-17 02:31
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:01.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6565",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 4.14.3 allows remote authenticated users to inject arbitrary web script or HTML via uppercase characters in JavaScript events within user-defined labels."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6565",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-17T02:31:59.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13029
Vulnerability from cvelistv5
Published
2019-07-11 18:52
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gitlab.com/snippets/1874216 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:41:10.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/snippets/1874216"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\u0027s web browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-19T19:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/snippets/1874216"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13029",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user\u0027s web browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/snippets/1874216",
"refsource": "MISC",
"url": "https://gitlab.com/snippets/1874216"
},
{
"name": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153691/REDCap-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13029",
"datePublished": "2019-07-11T18:52:33",
"dateReserved": "2019-06-28T00:00:00",
"dateUpdated": "2024-08-04T23:41:10.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-26712
Vulnerability from cvelistv5
Published
2021-01-12 14:17
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ | x_refsource_MISC | |
| https://www.project-redcap.org/ | x_refsource_MISC | |
| https://github.com/vuongdq54/RedCap | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T14:17:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.project-redcap.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vuongdq54/RedCap"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/",
"refsource": "MISC",
"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"
},
{
"name": "https://www.project-redcap.org/",
"refsource": "MISC",
"url": "https://www.project-redcap.org/"
},
{
"name": "https://github.com/vuongdq54/RedCap",
"refsource": "MISC",
"url": "https://github.com/vuongdq54/RedCap"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26712",
"datePublished": "2021-01-12T14:17:33",
"dateReserved": "2020-10-07T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4608
Vulnerability from cvelistv5
Published
2013-06-17 10:00
Modified
2024-09-16 19:24
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View & Descriptive Stats page.
References
| ▼ | URL | Tags |
|---|---|---|
| http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:52:26.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View \u0026 Descriptive Stats page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-06-17T10:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4608",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in REDCap before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors involving the Graphical Data View \u0026 Descriptive Stats page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf",
"refsource": "CONFIRM",
"url": "http://ctsi.psu.edu/wp-content/uploads/2013/03/REDCap-Release-Notes-Version5.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4608",
"datePublished": "2013-06-17T10:00:00Z",
"dateReserved": "2013-06-17T00:00:00Z",
"dateUpdated": "2024-09-16T19:24:10.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}