CVE-2024-37394 is a stored cross-site scripting (XSS) vulnerability identified in the Project Dashboards feature of REDCap version 13.1.9. REDCap is a widely used software platform for managing online surveys and databases, particularly in academic, clinical, and research environments. The vulnerability allows authenticated users to inject arbitrary web scripts or HTML code into the 'Dashboard title' and 'Dashboard content' text boxes. Because the payload is stored, it executes whenever the dashboard is viewed by any user with access, potentially leading to the execution of malicious scripts in the context of the victim's browser session. This can result in session hijacking, unauthorized actions on behalf of the user, data theft, or the spread of malware within the affected environment. The vulnerability requires the attacker to have authenticated access to the REDCap instance, but no further privileges are specified, meaning any user with dashboard editing rights could exploit it. The issue is remediated by updating to REDCap version 14.2.1 or later, which includes proper input sanitization and output encoding to prevent script injection. No known exploits are currently reported in the wild, but the high severity rating reflects the potential impact of successful exploitation.

For European organizations, particularly those in healthcare, academia, and research sectors where REDCap is commonly deployed, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive research data, patient information, or intellectual property, violating data protection regulations such as GDPR. The ability to execute arbitrary scripts could also facilitate lateral movement within the network, enabling attackers to escalate privileges or deploy further attacks. Additionally, compromised dashboards could be used to deliver phishing or social engineering payloads to trusted users, increasing the risk of broader security incidents. Given the sensitive nature of data managed by REDCap, the confidentiality and integrity of critical information are at risk, potentially leading to reputational damage, regulatory penalties, and operational disruption.

European organizations should prioritize upgrading all REDCap instances to version 14.2.1 or later without delay. Until the update is applied, administrators should restrict dashboard editing permissions to the minimum necessary users and monitor dashboard content for suspicious entries. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting REDCap dashboards can provide interim protection. Regular security training for users on recognizing suspicious dashboard behavior and reporting anomalies is recommended. Additionally, organizations should conduct thorough audits of existing dashboards to identify and remove any malicious scripts injected prior to patching. Logging and monitoring access to REDCap dashboards should be enhanced to detect unusual activity indicative of exploitation attempts. Finally, organizations should review and enforce strict input validation and output encoding policies in any custom REDCap modules or integrations to prevent similar vulnerabilities.