Trustwave SpiderLabs recently discovered three stored cross-site scripting (XSS) vulnerabilities in REDCap, a popular web application used for managing online surveys and databases in research settings [2].
Description
These vulnerabilities, known as CVE-2024-37394 [1], CVE-2024-37395 [1] [2], and CVE-2024-37396 [1] [2], were found in REDCap version 13.1.9 [2]. They could potentially allow authenticated users to inject malicious JavaScript code into various parts of the application [2], posing a threat to sensitive data. The affected areas included the Calendar function, Public Survey feature [2], and Project Dashboards [1] [2]. To address these security issues, users are urged to update to version 14.2.1 or later. Proof-of-concept exploits were created to demonstrate the potential risks associated with these vulnerabilities [1].
Conclusion
The identified vulnerabilities in REDCap highlight the importance of promptly updating software to mitigate security risks. Users should take immediate action to protect their data and systems. Moving forward, developers and organizations should prioritize security measures to prevent similar incidents in the future.
References
[1] https://www.darkreading.com/threat-intelligence/dangerous-xss-bugs-redcap-academic-scientific-research
[2] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/
