CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37798
https://notcve.org/view.php?id=CVE-2023-37798
A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en la nueva función de creación de proyectos REDCap de Vanderbilt REDCap 13.1.35 permite a los atacantes ejecutar scripts web arbitrarios o HTML mediante la inyección de un payload manipulado en el parámetro "project title". • http://redcap.com http://vanderbilt.com https://www.cyderes.com/blog/cve-2023-37798-stored-cross-site-scripting-in-vanderbilt-redcap • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.7EPSS: 0%CPEs: 2EXPL: 1CVE-2023-37361
https://notcve.org/view.php?id=CVE-2023-37361
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization. • https://trustwave.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=32305 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-42715
https://notcve.org/view.php?id=CVE-2022-42715
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution. Se presenta una vulnerabilidad de tipo XSS reflejado en REDCap versiones anteriores a 12.04.18, en la funcionalidad Alerts & Notifications upload. Un archivo CSV diseñado, cuando es cargado, desencadena una ejecución arbitraria de código JavaScript • https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.evms.edu/research/resources_services/redcap/redcap_change_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 2CVE-2021-42136 – REDCap 11.3.9 - Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-42136
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la funcionalidad Missing Data Codes de REDCap versión 11.2.5, permite a atacantes remotos ejecutar código JavaScript en el navegador del cliente al almacenar dicho código como un valor de código de datos perdidos. Esto puede ser aprovechado para ejecutar un ataque de tipo Cross-Site Request Forgery para escalar privilegios a administrador REDCap versions prior to 11.4.0 suffer from a persistent cross site scripting vulnerability that can be leveraged to escalate privileges. • https://www.exploit-db.com/exploits/50877 http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf https://www.project-redcap.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27359
https://notcve.org/view.php?id=CVE-2020-27359
A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages. Un problema de tipo cross-site scripting (XSS) en REDCap versiones 8.11.6 hasta 9.x anteriores a 10, permite a atacantes inyectar JavaScript o HTML arbitrario en la funcionalidad Messenger. • https://github.com/seb1055/cve-2020-27358-27359 https://www.evms.edu/research/resources_services/redcap/redcap_change_log https://www.ruse.tech/blog/38 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •