CVE-2024-37395: n/a in n/a
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.
AI Analysis
Technical Summary
CVE-2024-37395 is a stored cross-site scripting (XSS) vulnerability identified in the Public Survey function of REDCap version 13.1.9. REDCap is a widely used secure web application for building and managing online surveys and databases, often employed in academic, clinical, and research environments. The vulnerability arises because authenticated users can inject malicious scripts or HTML code into the 'Survey Title' and 'Survey Instructions' fields. These fields are then rendered without proper sanitization or encoding when the survey is accessed via its public link, leading to the execution of arbitrary web scripts in the context of the victim's browser. This stored XSS can be exploited by an attacker who has authenticated access to the REDCap instance to craft payloads that execute when any user accesses the public survey link, potentially leading to session hijacking, credential theft, or distribution of malware. The vulnerability affects REDCap version 13.1.9 and is resolved in version 14.2.1 or later. No CVSS score is assigned yet, and there are no known exploits in the wild at the time of publication. However, the nature of stored XSS vulnerabilities in public-facing survey tools makes this a significant risk, especially given the sensitive data often handled by REDCap deployments.
Potential Impact
For European organizations, especially those in healthcare, academic research, and clinical trial sectors where REDCap is commonly used, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive personal and medical data, undermining confidentiality and potentially violating GDPR requirements. Attackers could leverage the XSS flaw to steal session cookies, impersonate legitimate users, or distribute malicious payloads to survey respondents, damaging organizational reputation and trust. Given that REDCap surveys are often distributed widely via public links, the attack surface is broad, increasing the likelihood of victim exposure. Additionally, compromised surveys could be used to manipulate data integrity or disrupt availability by injecting scripts that alter survey behavior or cause denial of service. The impact extends beyond individual organizations to potentially affect collaborative research projects and multi-institutional studies common in Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations using REDCap should urgently upgrade to version 14.2.1 or later, where the issue is fixed. Beyond patching, administrators should implement strict input validation and output encoding on all user-supplied content fields, especially those rendered in public-facing components. Employing Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting the sources from which scripts can be loaded. Regular security audits and penetration testing focused on web application vulnerabilities should be conducted to detect similar issues proactively. Additionally, organizations should review user access controls to limit authenticated user permissions, reducing the risk of malicious payload injection. Educating users about phishing and social engineering risks related to malicious survey links can also reduce exploitation likelihood. Finally, monitoring web logs for unusual activity on survey endpoints can provide early detection of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain, Switzerland
CVE-2024-37395: n/a in n/a
Description
A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.
AI-Powered Analysis
Technical Analysis
CVE-2024-37395 is a stored cross-site scripting (XSS) vulnerability identified in the Public Survey function of REDCap version 13.1.9. REDCap is a widely used secure web application for building and managing online surveys and databases, often employed in academic, clinical, and research environments. The vulnerability arises because authenticated users can inject malicious scripts or HTML code into the 'Survey Title' and 'Survey Instructions' fields. These fields are then rendered without proper sanitization or encoding when the survey is accessed via its public link, leading to the execution of arbitrary web scripts in the context of the victim's browser. This stored XSS can be exploited by an attacker who has authenticated access to the REDCap instance to craft payloads that execute when any user accesses the public survey link, potentially leading to session hijacking, credential theft, or distribution of malware. The vulnerability affects REDCap version 13.1.9 and is resolved in version 14.2.1 or later. No CVSS score is assigned yet, and there are no known exploits in the wild at the time of publication. However, the nature of stored XSS vulnerabilities in public-facing survey tools makes this a significant risk, especially given the sensitive data often handled by REDCap deployments.
Potential Impact
For European organizations, especially those in healthcare, academic research, and clinical trial sectors where REDCap is commonly used, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive personal and medical data, undermining confidentiality and potentially violating GDPR requirements. Attackers could leverage the XSS flaw to steal session cookies, impersonate legitimate users, or distribute malicious payloads to survey respondents, damaging organizational reputation and trust. Given that REDCap surveys are often distributed widely via public links, the attack surface is broad, increasing the likelihood of victim exposure. Additionally, compromised surveys could be used to manipulate data integrity or disrupt availability by injecting scripts that alter survey behavior or cause denial of service. The impact extends beyond individual organizations to potentially affect collaborative research projects and multi-institutional studies common in Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations using REDCap should urgently upgrade to version 14.2.1 or later, where the issue is fixed. Beyond patching, administrators should implement strict input validation and output encoding on all user-supplied content fields, especially those rendered in public-facing components. Employing Content Security Policy (CSP) headers can help limit the impact of any injected scripts by restricting the sources from which scripts can be loaded. Regular security audits and penetration testing focused on web application vulnerabilities should be conducted to detect similar issues proactively. Additionally, organizations should review user access controls to limit authenticated user permissions, reducing the risk of malicious payload injection. Educating users about phishing and social engineering risks related to malicious survey links can also reduce exploitation likelihood. Finally, monitoring web logs for unusual activity on survey endpoints can provide early detection of exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2024-06-07T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68487f501b0bd07c393899d0
Added to database: 6/10/2025, 6:54:08 PM
Last enriched: 7/10/2025, 8:02:10 PM
Last updated: 7/30/2025, 4:15:28 PM
Views: 9
Related Threats
CVE-2025-9013: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9012: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9011: SQL Injection in PHPGurukul Online Shopping Portal Project
MediumCVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.