CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37798
https://notcve.org/view.php?id=CVE-2023-37798
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en la nueva función de creación de proyectos REDCap de Vanderbilt REDCap 13.1.35 permite a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyección de un payload manipulado en el parámetro "project title". • http://redcap.com http://vanderbilt.com https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 1CVE-2023-37361
https://notcve.org/view.php?id=CVE-2023-37361
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization. • https://trustwave.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-42715
https://notcve.org/view.php?id=CVE-2022-42715
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution. Se presenta una vulnerabilidad de tipo XSS reflejado en REDCap versiones anteriores a 12.04.18, en la funcionalidad Alerts & Notifications upload. Un archivo CSV diseñado, cuando es cargado, desencadena una ejecución arbitraria de código JavaScript • https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24127
https://notcve.org/view.php?id=CVE-2022-24127
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page. Se ha detectado una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas en el archivo ProjectGeneral/edit_project_settings.php en REDCap versión 12.0.11. Este problema permite a cualquier usuario con permisos de administración de proyectos inyectar código arbitrario en el campo del título del proyecto (app_title) cuando es editado un proyecto existente. • https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24004
https://notcve.org/view.php?id=CVE-2022-24004
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Messenger/messenger_ajax.php in REDCap 12.0.11. This issue allows any authenticated user to inject arbitrary code into the messenger title (aka new_title) field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown. Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en el archivo Messenger/messenger_ajax.php en REDCap versión 12.0.11. Este problema permite a cualquier usuario autenticado inyectar código arbitrario en el campo del título de Messenger (también se conoce como new_title) cuando es editada una conversación existente. • https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-24127-vanderbilt-redcap-stored-cross-site-scripting https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •