Stored Cross-Site Scripting Vulnerability in REDCap by Project REDCap
CVE-2021-42136

9CRITICAL

Key Information:

Vendor

Vanderbilt

Status
Redcap
Vendor
CVE Published:
13 April 2022

What is CVE-2021-42136?

A stored Cross-Site Scripting (XSS) vulnerability exists in the Missing Data Codes feature of REDCap prior to version 11.4.0. This flaw enables attackers to inject malicious JavaScript code that is stored as a Missing Data Code value. Once the code is executed in the client's browser, it can facilitate a Cross-Site Request Forgery (CSRF) attack, potentially allowing the attacker to escalate privileges to an administrator level. Such vulnerabilities pose significant risks to sensitive data and user integrity.

References

https://www.project-redcap.org/
x_refsource_MISC
https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standar...
x_refsource_MISC
http://packetstormsecurity.com/files/166723/REDCap-Cross-...
x_refsource_MISC

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.