Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Multiple Cross-Site Scripting (XSS) Vulnerabilities in REDCap (CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396)

Trustwave SpiderLabs uncovered multiple stored cross-site scripting (XSS) vulnerabilities (CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396) in REDCap (Research Electronic Data Capture), a widely used web application for building and managing online surveys and databases in research environments.

These vulnerabilities, if exploited, could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data.

 

About REDCap

REDCap, developed by Vanderbilt University, is a secure platform designed for data collection in research studies and operations. REDCap is popular among scientific institutions and universities that require strict compliance with government regulations and data privacy laws when conducting data collection for research purposes. It is particularly useful for managing studies that often contain sensitive or private information.

 

The Vulnerabilities

Trustwave's SpiderLabs team security researchers identified stored XSS vulnerabilities in multiple locations within REDCap version 13.1.9. These vulnerabilities allow authenticated users to inject malicious JavaScript code that executes when other users view the affected areas.

The vulnerable locations include:

  1. Calendar Events
  2. Public Surveys
  3. Project Dashboards

While the REDCap session cookie was found to have the "HttpOnly" attribute set during testing, these vulnerabilities could still pose significant risks to users and their data.

 

Proof of Concept

Our researchers developed proof-of-concept exploits for each vulnerable location. In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain.

The JavaScript payload were able to be entered into the following fields:

  • Calendar Events Notes
  • Public Survey Titles & Public Survey Instructions
  • Dashboard Titles & Dashboard Content

For example, the following payload was used:

```html
<a href="javascript&colon;alert(document.domain);">Click Me</a>
```

This payload, when inserted into various fields within REDCap, created clickable elements that would execute the malicious JavaScript when interacted with by users.

 

CVE Assignments

CVE-2024-37396

Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Calendar Function

A stored cross-site scripting (XSS) vulnerability in the Calendar function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.

CVE-2024-37395

Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Public Survey

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

CVE-2024-37394

Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Project Dashboards

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.

 

Impact

These vulnerabilities could allow attackers to:

  • Steal sensitive information from users' browsers
  • Perform actions on behalf of the victim
  • Manipulate the appearance and functionality of the REDCap application
  • Potentially gain unauthorized access to protected data

 

Remediation

Vanderbilt University has addressed these vulnerabilities in REDCap version 14.2.1. We strongly recommend all REDCap users update to this version or later immediately.

 

Responsible Disclosure

Trustwave SpiderLabs reported these vulnerabilities to Vanderbilt University as part of our commitment to responsible disclosure. Our Responsible Disclosure policy is posted publicly here.

 

Conclusion

While REDCap undergoes regular security testing and has addressed numerous vulnerabilities over time, this discovery in version 13.1.9 demonstrates that even well-established software can harbor hidden security flaws. REDCap's history includes multiple CVEs, reflecting both the attention it receives from security researchers and its development team's commitment to addressing identified issues.

This case reminds us that security is an ongoing process, not a one-time achievement. For organizations using REDCap, especially those handling sensitive research data, this underscores the importance of staying current with the latest software versions, conducting continuous security assessments, and implementing additional security layers.

We encourage all REDCap users to update to the latest secure version and maintain vigilance in their overall security posture, including regular audits, proper configuration, and user education about potential risks.

 

References

TWSL2024-003: Stored Cross-Site Scripting in Multiple REDCap Locations

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo