CVE-2021-42136
📋 TL;DR
A stored XSS vulnerability in REDCap's Missing Data Codes functionality allows attackers to inject malicious JavaScript that executes in users' browsers. This can lead to CSRF attacks that escalate privileges to administrator level. All REDCap installations before version 11.4.0 are affected.
💻 Affected Systems
- REDCap (Research Electronic Data Capture)
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrator privileges, potentially compromising all research data, modifying configurations, and accessing sensitive participant information.
Likely Case
Attackers steal session cookies, perform unauthorized actions as authenticated users, and potentially escalate privileges to lower-level administrative roles.
If Mitigated
With proper input validation and output encoding, the XSS payloads are neutralized, preventing JavaScript execution and subsequent CSRF attacks.
🎯 Exploit Status
Exploitation requires authenticated access to create/modify Missing Data Codes. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.4.0 and later
Vendor Advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
Restart Required: No
Instructions:
1. Backup your REDCap database and files. 2. Download REDCap 11.4.0 or later from the official website. 3. Follow the standard REDCap upgrade procedure. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable Missing Data Codes functionality
allTemporarily disable the vulnerable Missing Data Codes feature until patching is possible
Implement Content Security Policy
allAdd CSP headers to restrict script execution from untrusted sources
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-supplied data in Missing Data Codes
- Enable CSRF protection tokens and implement same-origin policy checks
🔍 How to Verify
Check if Vulnerable:
Check REDCap version in Control Center > Configuration Check. If version is below 11.4.0, the system is vulnerable.Check Version:
Check Control Center > Configuration Check in REDCap web interfaceVerify Fix Applied:
After upgrading to 11.4.0 or later, verify version in Control Center and test that JavaScript in Missing Data Codes fields is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Missing Data Codes
- JavaScript payloads in database logs for missing_data_codes table
- Multiple failed login attempts followed by Missing Data Code modifications
Network Indicators:
- HTTP requests containing JavaScript payloads in Missing Data Code parameters
- Unusual outbound connections from REDCap server after Missing Data Code updates
SIEM Query:
source="redcap_logs" AND (event="missing_data_code_update" AND data CONTAINS "<script>") OR (event="admin_privilege_change" AND user NOT IN allowed_admins)🔗 References
- http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html
- https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
- https://www.project-redcap.org/
- http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html
- https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
- https://www.project-redcap.org/
