Vanderbilt
Products
1- 42 CVEs
Recent CVEs
42| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7351 | Hig | 0.57 | 8.8 | 0.01 | Feb 8, 2018 | A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload. | ||
| CVE-2017-10961 | Hig | 0.57 | 8.8 | 0.01 | Jul 18, 2017 | REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components. | ||
| CVE-2017-10962 | Med | 0.40 | 6.1 | 0.01 | Jul 18, 2017 | REDCap before 7.5.1 has XSS via the query string. | ||
| CVE-2021-42136 | 0.03 | — | 0.05 | Apr 13, 2022 | A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a… | |||
| CVE-2019-13029 | 0.03 | — | 0.02 | Jul 11, 2019 | Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser. | |||
| CVE-2024-55374 | 0.00 | — | 0.00 | Jan 2, 2026 | REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. | |||
| CVE-2024-37396 | 0.00 | — | 0.00 | Jun 10, 2025 | A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious… | |||
| CVE-2024-37394 | 0.00 | — | 0.00 | Jun 10, 2025 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the… | |||
| CVE-2024-37395 | 0.00 | — | 0.00 | Jun 10, 2025 | A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could… | |||
| CVE-2025-23112 | 0.00 | — | 0.00 | Jan 10, 2025 | An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload. | |||
| CVE-2025-23113 | 0.00 | — | 0.00 | Jan 10, 2025 | An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the… | |||
| CVE-2025-23110 | 0.00 | — | 0.00 | Jan 10, 2025 | An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS… | |||
| CVE-2025-23111 | 0.00 | — | 0.00 | Jan 10, 2025 | An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a… | |||
| CVE-2024-56376 | 0.00 | — | 0.00 | Jan 9, 2025 | A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the… | |||
| CVE-2024-56377 | 0.00 | — | 0.00 | Jan 9, 2025 | A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the… | |||
| CVE-2024-56314 | 0.00 | — | 0.00 | Dec 22, 2024 | A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed,… | |||
| CVE-2024-56311 | 0.00 | — | 0.00 | Dec 22, 2024 | REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates… | |||
| CVE-2024-56313 | 0.00 | — | 0.00 | Dec 22, 2024 | A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the… | |||
| CVE-2024-56310 | 0.00 | — | 0.00 | Dec 22, 2024 | REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a… | |||
| CVE-2024-56312 | 0.00 | — | 0.00 | Dec 22, 2024 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is… |
- risk 0.57cvss 8.8epss 0.01
A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload.
- risk 0.57cvss 8.8epss 0.01
REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.
- risk 0.40cvss 6.1epss 0.01
REDCap before 7.5.1 has XSS via the query string.
- CVE-2021-42136Apr 13, 2022risk 0.03cvss —epss 0.05
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a…
- CVE-2019-13029Jul 11, 2019risk 0.03cvss —epss 0.02
Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.
- CVE-2024-55374Jan 2, 2026risk 0.00cvss —epss 0.00
REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.
- CVE-2024-37396Jun 10, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious…
- CVE-2024-37394Jun 10, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the…
- CVE-2024-37395Jun 10, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could…
- CVE-2025-23112Jan 10, 2025risk 0.00cvss —epss 0.00
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
- CVE-2025-23113Jan 10, 2025risk 0.00cvss —epss 0.00
An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the…
- CVE-2025-23110Jan 10, 2025risk 0.00cvss —epss 0.00
An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS…
- CVE-2025-23111Jan 10, 2025risk 0.00cvss —epss 0.00
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a…
- CVE-2024-56376Jan 9, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the…
- CVE-2024-56377Jan 9, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the…
- CVE-2024-56314Dec 22, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed,…
- CVE-2024-56311Dec 22, 2024risk 0.00cvss —epss 0.00
REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates…
- CVE-2024-56313Dec 22, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the…
- CVE-2024-56310Dec 22, 2024risk 0.00cvss —epss 0.00
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a…
- CVE-2024-56312Dec 22, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is…