Stored Cross-Site Scripting Vulnerability in REDCap by Vanderbilt University
CVE-2022-24004

5.4MEDIUM

Key Information:

Vendor: Vanderbilt
Status: Redcap
Vendor: CVE Published:; 15 June 2022

What is CVE-2022-24004?

A Stored Cross-Site Scripting (XSS) vulnerability exists in REDCap 12.0.11, specifically within the messenger/messenger_ajax.php file. This vulnerability allows an authenticated user to inject malicious scripts into the messenger title (new_title) field while editing a conversation. The injected payload is executed in the browsers of any participant engaged in the conversation, potentially compromising user data and security.

References

https://www.evms.edu/research/resources_services/redcap/r...

x_refsource_MISC

https://labs.nettitude.com/blog/cve-2022-24004-cve-2022-2...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2022
Vulnerability Reserved
Jan 26, 2022