CVE-2021-42136
REDCap 11.3.9 - Stored Cross Site Scripting
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada en la funcionalidad Missing Data Codes de REDCap versión 11.2.5, permite a atacantes remotos ejecutar código JavaScript en el navegador del cliente al almacenar dicho código como un valor de código de datos perdidos. Esto puede ser aprovechado para ejecutar un ataque de tipo Cross-Site Request Forgery para escalar privilegios a administrador
REDCap versions prior to 11.4.0 suffer from a persistent cross site scripting vulnerability that can be leveraged to escalate privileges.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-10-11 CVE Reserved
- 2022-04-13 CVE Published
- 2022-04-19 First Exploit
- 2024-08-04 CVE Updated
- 2024-08-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf | Release Notes | |
| https://www.project-redcap.org | Product |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/50877 | 2022-04-19 | |
| http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vanderbilt Search vendor "Vanderbilt" | Redcap Search vendor "Vanderbilt" for product "Redcap" | < 11.4.0 Search vendor "Vanderbilt" for product "Redcap" and version " < 11.4.0" | - |
Affected
| ||||||