Skip to main content

CVE-2024-37394: n/a in n/a

High
VulnerabilityCVE-2024-37394cvecve-2024-37394
Published: Tue Jun 10 2025 (06/10/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.

AI-Powered Analysis

AILast updated: 07/10/2025, 19:50:15 UTC

Technical Analysis

CVE-2024-37394 is a stored cross-site scripting (XSS) vulnerability identified in the Project Dashboards feature of REDCap version 13.1.9. REDCap is a widely used software platform for managing online surveys and databases, particularly in academic, clinical, and research environments. The vulnerability allows authenticated users to inject arbitrary web scripts or HTML code into the 'Dashboard title' and 'Dashboard content' text boxes. Because the payload is stored, it executes whenever the dashboard is viewed by any user with access, potentially leading to the execution of malicious scripts in the context of the victim's browser session. This can result in session hijacking, unauthorized actions on behalf of the user, data theft, or the spread of malware within the affected environment. The vulnerability requires the attacker to have authenticated access to the REDCap instance, but no further privileges are specified, meaning any user with dashboard editing rights could exploit it. The issue is remediated by updating to REDCap version 14.2.1 or later, which includes proper input sanitization and output encoding to prevent script injection. No known exploits are currently reported in the wild, but the high severity rating reflects the potential impact of successful exploitation.

Potential Impact

For European organizations, particularly those in healthcare, academia, and research sectors where REDCap is commonly deployed, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive research data, patient information, or intellectual property, violating data protection regulations such as GDPR. The ability to execute arbitrary scripts could also facilitate lateral movement within the network, enabling attackers to escalate privileges or deploy further attacks. Additionally, compromised dashboards could be used to deliver phishing or social engineering payloads to trusted users, increasing the risk of broader security incidents. Given the sensitive nature of data managed by REDCap, the confidentiality and integrity of critical information are at risk, potentially leading to reputational damage, regulatory penalties, and operational disruption.

Mitigation Recommendations

European organizations should prioritize upgrading all REDCap instances to version 14.2.1 or later without delay. Until the update is applied, administrators should restrict dashboard editing permissions to the minimum necessary users and monitor dashboard content for suspicious entries. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting REDCap dashboards can provide interim protection. Regular security training for users on recognizing suspicious dashboard behavior and reporting anomalies is recommended. Additionally, organizations should conduct thorough audits of existing dashboards to identify and remove any malicious scripts injected prior to patching. Logging and monitoring access to REDCap dashboards should be enhanced to detect unusual activity indicative of exploitation attempts. Finally, organizations should review and enforce strict input validation and output encoding policies in any custom REDCap modules or integrations to prevent similar vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2024-06-07T00:00:00.000Z
Cvss Version
null
State
PUBLISHED

Threat ID: 68487f501b0bd07c393899ba

Added to database: 6/10/2025, 6:54:08 PM

Last enriched: 7/10/2025, 7:50:15 PM

Last updated: 8/17/2025, 2:40:06 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats