CVE-2024-37396
📋 TL;DR
This stored XSS vulnerability in REDCap's Calendar function allows authenticated users to inject malicious scripts into calendar event notes. When other users view these events, the scripts execute in their browser context. All REDCap instances running version 13.1.9 or earlier with the Calendar feature enabled are affected.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deploy malware through the compromised REDCap instance.
Likely Case
Authenticated attackers could steal other users' session tokens, perform unauthorized actions, or deface calendar entries with malicious content.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access. Trustwave's advisory includes technical details and payload examples that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.2.1 or later
Vendor Advisory: https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Restart Required: Yes
Instructions:
1. Backup your REDCap database and files. 2. Download REDCap version 14.2.1 or later from the official Vanderbilt REDCap website. 3. Follow the REDCap upgrade instructions for your specific deployment. 4. Verify the Calendar function works correctly after upgrade.
🔧 Temporary Workarounds
Disable Calendar Module
allTemporarily disable the Calendar function to prevent exploitation while planning upgrade
Input Validation Filter
allImplement web application firewall rules or input validation to block script tags in calendar notes
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution
- Enable audit logging for calendar events and monitor for suspicious note content
🔍 How to Verify
Check if Vulnerable:
Check REDCap version via Control Center > Configuration Check. If version is 13.1.9 or earlier, the system is vulnerable.Check Version:
Check Control Center > Configuration Check in REDCap web interfaceVerify Fix Applied:
After upgrading to 14.2.1 or later, test by attempting to inject script tags into calendar event notes - they should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual calendar event creation/modification patterns
- Calendar notes containing script tags or JavaScript code
Network Indicators:
- Unexpected outbound connections from REDCap server when viewing calendar events
SIEM Query:
source="redcap_logs" AND (event="calendar_note_update" AND message="*<script>*")🔗 References
- https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/
- https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/
