Skip to main content

Redcap CVE-2023-37798

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-09-07 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 07, 2023 - 19:15 nvd
MEDIUM 5.4

DescriptionNVD

A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter. Affected products include: Vanderbilt Redcap.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Redcap

View all
CVE-2024-56311 HIGH POC
8.8 Dec 22

REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Reques

CVE-2024-56310 HIGH POC
8.8 Dec 22

REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery

CVE-2019-14937 HIGH POC
7.5 Aug 17

REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=

CVE-2013-4611 CRITICAL
10.0 Jun 17

Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors

CVE-2024-45527 MEDIUM POC
6.1 Sep 02

REDCap 14.7.0 allows HTML injection via the project title of a New Project action. Rated medium severity (CVSS 6.1), thi

CVE-2022-42715 MEDIUM POC
6.1 Oct 12

A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. Rated mediu

CVE-2013-4610 CRITICAL
10.0 Jun 17

Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 h

CVE-2024-37396 MEDIUM POC
5.4 Jun 10

A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users t

CVE-2024-37394 MEDIUM POC
5.4 Jun 10

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users

CVE-2024-37395 MEDIUM POC
5.4 Jun 10

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated us

CVE-2024-56314 MEDIUM POC
5.4 Dec 22

A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated user

CVE-2024-56313 MEDIUM POC
5.4 Dec 22

A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated

Share

CVE-2023-37798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy