CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37798
https://notcve.org/view.php?id=CVE-2023-37798
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en la nueva función de creación de proyectos REDCap de Vanderbilt REDCap 13.1.35 permite a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyección de un payload manipulado en el parámetro "project title". • http://redcap.com http://vanderbilt.com https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 1CVE-2023-37361
https://notcve.org/view.php?id=CVE-2023-37361
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization. • https://trustwave.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-42715
https://notcve.org/view.php?id=CVE-2022-42715
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution. Se presenta una vulnerabilidad de tipo XSS reflejado en REDCap versiones anteriores a 12.04.18, en la funcionalidad Alerts & Notifications upload. Un archivo CSV diseñado, cuando es cargado, desencadena una ejecución arbitraria de código JavaScript • https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 2CVE-2021-42136 – REDCap 11.3.9 - Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-42136
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la funcionalidad Missing Data Codes de REDCap versión 11.2.5, permite a atacantes remotos ejecutar código JavaScript en el navegador del cliente al almacenar dicho código como un valor de código de datos perdidos. Esto puede ser aprovechado para ejecutar un ataque de tipo Cross-Site Request Forgery para escalar privilegios a administrador REDCap versions prior to 11.4.0 suffer from a persistent cross site scripting vulnerability that can be leveraged to escalate privileges. • https://www.exploit-db.com/exploits/50877 http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.project-redcap.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17121
https://notcve.org/view.php?id=CVE-2019-17121
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values. REDCap versiones anteriores a 9.3.4, presenta una vulnerabilidad de tipo XSS en la página Customize & Manage Locking/E-signatures por medio de valores Lock Record Custom Text. • https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •