Reflected Cross-Site Scripting Vulnerability in REDCap by Vanderbilt University
CVE-2025-23110

6.1MEDIUM

Key Information:

Vendor: Vanderbilt
Status: Redcap
Vendor: CVE Published:; 10 January 2025

What is CVE-2025-23110?

A reflected cross-site scripting (XSS) vulnerability in REDCap 14.9.6 can be exploited through the email-subject field during a CSV file upload containing alert configurations. If an attacker provides a victim with a specially crafted CSV file featuring an XSS payload in the email subject, the victim’s subsequent upload will lead them to a page displaying the uploaded data. Clicking on the email subject triggers the execution of the XSS payload, potentially compromising user interactions and security.

Affected Version(s)

REDCap 14.9.6

References

https://github.com/ping-oui-no/Vulnerability-Research-CVE...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2025

CVE-2025-23110 Data

JSON