VYPR

Redcap

by Vanderbilt

CVEs (42)

  • CVE-2017-7351HigFeb 8, 2018
    risk 0.57cvss 8.8epss 0.01

    A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.

  • CVE-2017-10961HigJul 18, 2017
    risk 0.57cvss 8.8epss 0.01

    REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.

  • CVE-2017-10962MedJul 18, 2017
    risk 0.40cvss 6.1epss 0.01

    REDCap before 7.5.1 has XSS via the query string.

  • CVE-2021-42136Apr 13, 2022
    risk 0.03cvss epss 0.05

    A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a…

  • CVE-2019-13029Jul 11, 2019
    risk 0.03cvss epss 0.02

    Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.

  • CVE-2024-55374Jan 2, 2026
    risk 0.00cvss epss 0.00

    REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.

  • CVE-2024-37396Jun 10, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious…

  • CVE-2024-37394Jun 10, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the…

  • CVE-2024-37395Jun 10, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could…

  • CVE-2025-23112Jan 10, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.

  • CVE-2025-23113Jan 10, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the…

  • CVE-2025-23110Jan 10, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS…

  • CVE-2025-23111Jan 10, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a…

  • CVE-2024-56376Jan 9, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the…

  • CVE-2024-56377Jan 9, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the…

  • CVE-2024-56314Dec 22, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed,…

  • CVE-2024-56311Dec 22, 2024
    risk 0.00cvss epss 0.00

    REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates…

  • CVE-2024-56313Dec 22, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the…

  • CVE-2024-56310Dec 22, 2024
    risk 0.00cvss epss 0.00

    REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a…

  • CVE-2024-56312Dec 22, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is…

Page 1 of 3