Vanderbilt: >> Redcap >> 8.10.1 Security Vulnerabilities
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
CVSS Score
2.7
EPSS Score
0.001
Published
2023-07-25
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-10-12
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
CVSS Score
9.0
EPSS Score
0.018
Published
2022-04-13
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-10-04
REDCap before 9.3.0 allows XSS attacks against non-administrator accounts on the Data Import Tool page via a CSV data import file.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-08-21
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
CVSS Score
4.8
EPSS Score
0.004
Published
2019-07-11
Page 2