Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Trustwave SpiderLabs uncovered multiple stored cross-site scripting (XSS) vulnerabilities (CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396) in REDCap (Research Electronic Data Capture), a widely used web application for building and managing online surveys and databases in research environments.
These vulnerabilities, if exploited, could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data.
REDCap, developed by Vanderbilt University, is a secure platform designed for data collection in research studies and operations. REDCap is popular among scientific institutions and universities that require strict compliance with government regulations and data privacy laws when conducting data collection for research purposes. It is particularly useful for managing studies that often contain sensitive or private information.
Trustwave's SpiderLabs team security researchers identified stored XSS vulnerabilities in multiple locations within REDCap version 13.1.9. These vulnerabilities allow authenticated users to inject malicious JavaScript code that executes when other users view the affected areas.
The vulnerable locations include:
While the REDCap session cookie was found to have the "HttpOnly" attribute set during testing, these vulnerabilities could still pose significant risks to users and their data.
Our researchers developed proof-of-concept exploits for each vulnerable location. In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain.
The JavaScript payload were able to be entered into the following fields:
For example, the following payload was used:
```html
<a href="javascript:alert(document.domain);">Click Me</a>
```
This payload, when inserted into various fields within REDCap, created clickable elements that would execute the malicious JavaScript when interacted with by users.
CVE-2024-37396 |
Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Calendar Function |
A stored cross-site scripting (XSS) vulnerability in the Calendar function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability. |
CVE-2024-37395 |
Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Public Survey |
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue. |
CVE-2024-37394 |
Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Project Dashboards |
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability. |
These vulnerabilities could allow attackers to:
Vanderbilt University has addressed these vulnerabilities in REDCap version 14.2.1. We strongly recommend all REDCap users update to this version or later immediately.
Trustwave SpiderLabs reported these vulnerabilities to Vanderbilt University as part of our commitment to responsible disclosure. Our Responsible Disclosure policy is posted publicly here.
While REDCap undergoes regular security testing and has addressed numerous vulnerabilities over time, this discovery in version 13.1.9 demonstrates that even well-established software can harbor hidden security flaws. REDCap's history includes multiple CVEs, reflecting both the attention it receives from security researchers and its development team's commitment to addressing identified issues.
This case reminds us that security is an ongoing process, not a one-time achievement. For organizations using REDCap, especially those handling sensitive research data, this underscores the importance of staying current with the latest software versions, conducting continuous security assessments, and implementing additional security layers.
We encourage all REDCap users to update to the latest secure version and maintain vigilance in their overall security posture, including regular audits, proper configuration, and user education about potential risks.
References
TWSL2024-003: Stored Cross-Site Scripting in Multiple REDCap Locations
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.