CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37798
https://notcve.org/view.php?id=CVE-2023-37798
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en la nueva función de creación de proyectos REDCap de Vanderbilt REDCap 13.1.35 permite a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyección de un payload manipulado en el parámetro "project title". • http://redcap.com http://vanderbilt.com https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 1CVE-2023-37361
https://notcve.org/view.php?id=CVE-2023-37361
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization. • https://trustwave.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-42715
https://notcve.org/view.php?id=CVE-2022-42715
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution. Se presenta una vulnerabilidad de tipo XSS reflejado en REDCap versiones anteriores a 12.04.18, en la funcionalidad Alerts & Notifications upload. Un archivo CSV diseñado, cuando es cargado, desencadena una ejecución arbitraria de código JavaScript • https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 2CVE-2021-42136 – REDCap 11.3.9 - Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-42136
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la funcionalidad Missing Data Codes de REDCap versión 11.2.5, permite a atacantes remotos ejecutar código JavaScript en el navegador del cliente al almacenar dicho código como un valor de código de datos perdidos. Esto puede ser aprovechado para ejecutar un ataque de tipo Cross-Site Request Forgery para escalar privilegios a administrador REDCap versions prior to 11.4.0 suffer from a persistent cross site scripting vulnerability that can be leveraged to escalate privileges. • https://www.exploit-db.com/exploits/50877 http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.project-redcap.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-26713
https://notcve.org/view.php?id=CVE-2020-26713
REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the response and not escaped leading to the reflected XSS vulnerability. Attackers can exploit vulnerabilities to steal login session information or borrow user rights to perform unauthorized acts. REDCap versión 10.3.4, contiene una vulnerabilidad de tipo XSS en la función ToDoList con el parámetro sort. La información enviada por el usuario es inmediatamente devuelta en la respuesta y no se escapa, conllevando a una vulnerabilidad de tipo XSS reflejado. • https://github.com/vuongdq54/RedCap https://www.evms.edu/research/resources_services/redcap/redcap_change_log https://www.project-redcap.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •