CVE-2024-37395 is a stored cross-site scripting (XSS) vulnerability identified in the Public Survey function of REDCap version 13.1.9. REDCap is a widely used secure web application for building and managing online surveys and databases, often employed in academic, clinical, and research environments. The vulnerability arises because authenticated users can inject malicious scripts or HTML code into the 'Survey Title' and 'Survey Instructions' fields. These fields are then rendered without proper sanitization or encoding when the survey is accessed via its public link, leading to the execution of arbitrary web scripts in the context of the victim's browser. This stored XSS can be exploited by an attacker who has authenticated access to the REDCap instance to craft payloads that execute when any user accesses the public survey link, potentially leading to session hijacking, credential theft, or distribution of malware. The vulnerability affects REDCap version 13.1.9 and is resolved in version 14.2.1 or later. No CVSS score is assigned yet, and there are no known exploits in the wild at the time of publication. However, the nature of stored XSS vulnerabilities in public-facing survey tools makes this a significant risk, especially given the sensitive data often handled by REDCap deployments.

For European organizations, especially those in healthcare, academic research, and clinical trial sectors where REDCap is commonly used, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive personal and medical data, undermining confidentiality and potentially violating GDPR requirements. Attackers could leverage the XSS flaw to steal session cookies, impersonate legitimate users, or distribute malicious payloads to survey respondents, damaging organizational reputation and trust. Given that REDCap surveys are often distributed widely via public links, the attack surface is broad, increasing the likelihood of victim exposure. Additionally, compromised surveys could be used to manipulate data integrity or disrupt availability by injecting scripts that alter survey behavior or cause denial of service. The impact extends beyond individual organizations to potentially affect collaborative research projects and multi-institutional studies common in Europe.

To mitigate this vulnerability, European organizations using REDCap should urgently upgrade to version 14.2.1 or later, where the issue is fixed. Beyond patching, administrators should implement strict input validation and output encoding on all user-supplied content fields, especially those rendered in public-facing components. Employing Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting the sources from which scripts can be loaded. Regular security audits and penetration testing focused on web application vulnerabilities should be conducted to detect similar issues proactively. Additionally, organizations should review user access controls to limit authenticated user permissions, reducing the risk of malicious payload injection. Educating users about phishing and social engineering risks related to malicious survey links can also reduce exploitation likelihood. Finally, monitoring web logs for unusual activity on survey endpoints can provide early detection of exploitation attempts.