Cross-Site Request Forgery in REDCap 14.9.6 by VendoR
CVE-2025-23113

8.8HIGH

Key Information:

Vendor: VendoR
Status: Redcap
Vendor: CVE Published:; 10 January 2025

What is CVE-2025-23113?

An issue was discovered in REDCap 14.9.6 where an unprotected CSRF vulnerability allows an attacker to exploit the alert-title during CSV file uploads. By sending a specially crafted CSV file containing an HTML injection payload, an attacker can manipulate the victim's session. Upon uploading the malicious CSV, the victim is directed to a page that triggers a logout request or redirects to a phishing site when clicking the alert-title. This vulnerability arises due to the lack of CSRF protections on logout functionality, potentially compromising user sessions.

References

https://github.com/ping-oui-no/Vulnerability-Research-CVE...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2025