CVE-2024-37394: n/a in n/a
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.
AI Analysis
Technical Summary
CVE-2024-37394 is a stored cross-site scripting (XSS) vulnerability identified in the Project Dashboards feature of REDCap version 13.1.9. REDCap is a widely used software platform for managing online surveys and databases, particularly in academic, clinical, and research environments. The vulnerability allows authenticated users to inject arbitrary web scripts or HTML code into the 'Dashboard title' and 'Dashboard content' text boxes. Because the payload is stored, it executes whenever the dashboard is viewed by any user with access, potentially leading to the execution of malicious scripts in the context of the victim's browser session. This can result in session hijacking, unauthorized actions on behalf of the user, data theft, or the spread of malware within the affected environment. The vulnerability requires the attacker to have authenticated access to the REDCap instance, but no further privileges are specified, meaning any user with dashboard editing rights could exploit it. The issue is remediated by updating to REDCap version 14.2.1 or later, which includes proper input sanitization and output encoding to prevent script injection. No known exploits are currently reported in the wild, but the high severity rating reflects the potential impact of successful exploitation.
Potential Impact
For European organizations, particularly those in healthcare, academia, and research sectors where REDCap is commonly deployed, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive research data, patient information, or intellectual property, violating data protection regulations such as GDPR. The ability to execute arbitrary scripts could also facilitate lateral movement within the network, enabling attackers to escalate privileges or deploy further attacks. Additionally, compromised dashboards could be used to deliver phishing or social engineering payloads to trusted users, increasing the risk of broader security incidents. Given the sensitive nature of data managed by REDCap, the confidentiality and integrity of critical information are at risk, potentially leading to reputational damage, regulatory penalties, and operational disruption.
Mitigation Recommendations
European organizations should prioritize upgrading all REDCap instances to version 14.2.1 or later without delay. Until the update is applied, administrators should restrict dashboard editing permissions to the minimum necessary users and monitor dashboard content for suspicious entries. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting REDCap dashboards can provide interim protection. Regular security training for users on recognizing suspicious dashboard behavior and reporting anomalies is recommended. Additionally, organizations should conduct thorough audits of existing dashboards to identify and remove any malicious scripts injected prior to patching. Logging and monitoring access to REDCap dashboards should be enhanced to detect unusual activity indicative of exploitation attempts. Finally, organizations should review and enforce strict input validation and output encoding policies in any custom REDCap modules or integrations to prevent similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain, Switzerland, Denmark
CVE-2024-37394: n/a in n/a
Description
A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.
AI-Powered Analysis
Technical Analysis
CVE-2024-37394 is a stored cross-site scripting (XSS) vulnerability identified in the Project Dashboards feature of REDCap version 13.1.9. REDCap is a widely used software platform for managing online surveys and databases, particularly in academic, clinical, and research environments. The vulnerability allows authenticated users to inject arbitrary web scripts or HTML code into the 'Dashboard title' and 'Dashboard content' text boxes. Because the payload is stored, it executes whenever the dashboard is viewed by any user with access, potentially leading to the execution of malicious scripts in the context of the victim's browser session. This can result in session hijacking, unauthorized actions on behalf of the user, data theft, or the spread of malware within the affected environment. The vulnerability requires the attacker to have authenticated access to the REDCap instance, but no further privileges are specified, meaning any user with dashboard editing rights could exploit it. The issue is remediated by updating to REDCap version 14.2.1 or later, which includes proper input sanitization and output encoding to prevent script injection. No known exploits are currently reported in the wild, but the high severity rating reflects the potential impact of successful exploitation.
Potential Impact
For European organizations, particularly those in healthcare, academia, and research sectors where REDCap is commonly deployed, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive research data, patient information, or intellectual property, violating data protection regulations such as GDPR. The ability to execute arbitrary scripts could also facilitate lateral movement within the network, enabling attackers to escalate privileges or deploy further attacks. Additionally, compromised dashboards could be used to deliver phishing or social engineering payloads to trusted users, increasing the risk of broader security incidents. Given the sensitive nature of data managed by REDCap, the confidentiality and integrity of critical information are at risk, potentially leading to reputational damage, regulatory penalties, and operational disruption.
Mitigation Recommendations
European organizations should prioritize upgrading all REDCap instances to version 14.2.1 or later without delay. Until the update is applied, administrators should restrict dashboard editing permissions to the minimum necessary users and monitor dashboard content for suspicious entries. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting REDCap dashboards can provide interim protection. Regular security training for users on recognizing suspicious dashboard behavior and reporting anomalies is recommended. Additionally, organizations should conduct thorough audits of existing dashboards to identify and remove any malicious scripts injected prior to patching. Logging and monitoring access to REDCap dashboards should be enhanced to detect unusual activity indicative of exploitation attempts. Finally, organizations should review and enforce strict input validation and output encoding policies in any custom REDCap modules or integrations to prevent similar vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2024-06-07T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68487f501b0bd07c393899ba
Added to database: 6/10/2025, 6:54:08 PM
Last enriched: 7/10/2025, 7:50:15 PM
Last updated: 7/31/2025, 7:25:55 AM
Views: 9
Related Threats
CVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.