CVE-2024-56312
📋 TL;DR
This stored XSS vulnerability in REDCap allows authenticated users to inject malicious scripts into Project Dashboard names. When other users click on these dashboard names, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. All REDCap instances running vulnerable versions with authenticated users are affected.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full system access, pivot to internal networks, and compromise sensitive research data.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access unauthorized projects, or modify research data.
If Mitigated
Script execution is blocked by CSP headers or browser XSS filters, limiting impact to UI manipulation only.
🎯 Exploit Status
Exploitation requires authenticated access; proof-of-concept available in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9.7 or later
Vendor Advisory: https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Restart Required: No
Instructions:
1. Backup your REDCap database and files. 2. Download REDCap version 14.9.7 or later from the Vanderbilt REDCap Consortium. 3. Follow standard REDCap upgrade procedures. 4. Verify the fix by testing XSS payloads in Project Dashboard names.
🔧 Temporary Workarounds
Input Validation Enhancement
allAdd custom input validation to sanitize Project Dashboard names before storage
Modify REDCap configuration to implement additional HTML entity encoding for dashboard name fields
Content Security Policy
allImplement strict CSP headers to block inline script execution
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict Project Dashboard creation/modification permissions to trusted administrators only
- Implement web application firewall rules to block common XSS payload patterns in dashboard names
🔍 How to Verify
Check if Vulnerable:
Test by creating a Project Dashboard with name containing <script>alert('XSS')</script> and checking if script executes when clickedCheck Version:
Check REDCap version in Control Center → Software Updates or via database query: SELECT value FROM redcap_config WHERE field_name = 'redcap_version'Verify Fix Applied:
After patching, attempt the same XSS test; script should be displayed as plain text, not executed📡 Detection & Monitoring
Log Indicators:
- Unusual length or special characters in Project Dashboard name fields
- Multiple dashboard creation/modification events from single user
Network Indicators:
- HTTP requests containing script tags in dashboard name parameters
- Outbound connections to suspicious domains following dashboard access
SIEM Query:
source="redcap_logs" AND (dashboard_name CONTAINS "<script>" OR dashboard_name CONTAINS "javascript:")