CVE-2024-56310
📋 TL;DR
REDCap versions through 14.9.6 have a CSRF vulnerability in Project Dashboards that allows attackers to force user logout by tricking users into clicking malicious dashboard names. This affects all REDCap users with access to Project Dashboards functionality. The vulnerability exists because logout functionality lacks CSRF protections.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could force mass user logouts across an organization, disrupting research workflows and potentially causing data loss if users were in the middle of data entry.
Likely Case
Individual users get logged out unexpectedly, causing inconvenience and potential minor workflow disruption.
If Mitigated
With proper CSRF protections implemented, no unauthorized logout actions can be performed.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is technically simple. The GitHub reference contains research details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9.7 or later
Vendor Advisory: https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Restart Required: No
Instructions:
1. Backup your REDCap installation. 2. Download REDCap version 14.9.7 or later from the official Vanderbilt REDCap website. 3. Follow standard REDCap upgrade procedures. 4. Verify CSRF tokens are now present on logout functionality.
🔧 Temporary Workarounds
CSRF Protection Implementation
allManually add CSRF tokens to logout functionality if unable to patch immediately
Requires code modification to REDCap source files. Consult REDCap documentation for CSRF implementation.
Session Validation Enhancement
allImplement additional session validation checks
Modify session handling to validate logout requests against user context
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attacks targeting logout functionality
- Educate users about phishing risks and implement click-through warnings for external links
🔍 How to Verify
Check if Vulnerable:
Check if your REDCap version is 14.9.6 or earlier and inspect logout functionality for missing CSRF tokensCheck Version:
Check REDCap Control Center or database version table (redcap_config value for 'redcap_version')Verify Fix Applied:
After patching, verify that logout requests now include and validate CSRF tokens📡 Detection & Monitoring
Log Indicators:
- Multiple unexpected logout events from same IP
- Logout requests without corresponding user actions
Network Indicators:
- HTTP POST requests to logout endpoint without Referer header validation
- Suspicious redirect patterns
SIEM Query:
source="redcap_logs" AND (event="logout" AND NOT user_action="click_logout")