CVE-2024-56377 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in Vanderbilt REDCap version 14.9.6. The flaw arises from improper neutralization of input during web page generation, specifically in the Survey Title and Survey Instructions fields. Authenticated users with permission to create or modify surveys can inject malicious JavaScript payloads into these fields. When a survey recipient accesses the survey and interacts with the page (e.g., clicks anywhere to enter data), the injected script executes in the victim’s browser context. This can lead to arbitrary script execution, enabling attackers to perform actions such as session hijacking, cookie theft, or redirecting users to malicious sites. The vulnerability requires authentication and user interaction, limiting its exploitation scope but still posing a significant risk in environments where REDCap is used for sensitive data collection. The CVSS 3.1 base score is 5.4, reflecting network attack vector, low attack complexity, required privileges, and user interaction with partial confidentiality and integrity impact but no availability impact. No patches or known exploits are currently publicly available, emphasizing the need for proactive mitigation.

The primary impact of this vulnerability is the potential compromise of confidentiality and integrity of user sessions and data within REDCap environments. Exploitation could allow attackers to execute arbitrary scripts in the context of survey recipients, potentially stealing session tokens, credentials, or other sensitive information accessible via the browser. This could lead to unauthorized access to REDCap projects or broader organizational systems if credentials are reused. Additionally, attackers could manipulate survey responses or redirect users to malicious websites, undermining data integrity and user trust. Since REDCap is widely used in academic, healthcare, and research institutions for sensitive data collection, exploitation could have serious privacy and compliance implications. The requirement for authenticated access and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially insider threats or compromised accounts. The absence of known exploits in the wild currently limits immediate risk but does not preclude future attacks once exploit code becomes available.

Organizations should immediately assess their REDCap deployments to identify instances running version 14.9.6 and prioritize upgrading to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and sanitization on survey title and instruction fields to neutralize potentially malicious scripts. Restrict survey creation and editing privileges to trusted users only, minimizing the risk of malicious payload injection. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in survey pages. Monitor survey content for suspicious or unexpected script tags or encoded payloads. Educate users about the risks of interacting with untrusted surveys and encourage reporting of unusual behavior. Regularly review access logs and user activity for signs of exploitation attempts. Consider isolating REDCap instances within segmented network zones to limit lateral movement if compromise occurs. Finally, maintain up-to-date backups of survey data to recover from potential data integrity attacks.