Vulnerability Details CVE-2022-24004
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.0%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/
- https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
- https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting/
- https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Products affected by CVE-2022-24004
-
cpe:2.3:a:vanderbilt:redcap:12.0.11