CVE-2024-56376
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in REDCap 14.9.6's built-in messenger allows authenticated users to inject malicious scripts into message fields. When recipients click on these messages, the payload executes, potentially enabling arbitrary web script execution. This affects all REDCap 14.9.6 installations with the messenger feature enabled.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform account takeovers, redirect users to malicious sites, or execute actions on behalf of authenticated users, potentially compromising sensitive research data.
Likely Case
Authenticated attackers could steal session tokens from other users, leading to unauthorized access to research data and potential data exfiltration.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of XSS payloads. The vulnerability is in the message field input handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9.7 or later
Vendor Advisory: https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Restart Required: No
Instructions:
1. Backup your REDCap installation and database
2. Download REDCap 14.9.7 or later from the official Vanderbilt REDCap site
3. Follow the standard REDCap upgrade procedure
4. Verify the messenger feature works correctly after upgrade
🔧 Temporary Workarounds
Disable Messenger Feature
allTemporarily disable the built-in messenger feature to prevent exploitation while planning an upgrade.
Navigate to REDCap Control Center > External Modules > Disable Messenger module
Implement Web Application Firewall (WAF) Rules
allConfigure WAF rules to block XSS payloads in message parameters.
Add WAF rule: Detect and block scripts in POST parameters to messenger endpoints
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution sources
- Enable input validation and output encoding at the application layer for all user-controlled fields
🔍 How to Verify
Check if Vulnerable:
Check if REDCap version is 14.9.6 and messenger feature is enabled. Test by attempting to inject a simple XSS payload like <script>alert('test')</script> into a message field.Check Version:
Check the REDCap Control Center > Home page for version information or examine the redcap_version table in the database.Verify Fix Applied:
After upgrading to 14.9.7+, test that XSS payloads in message fields are properly sanitized and do not execute when messages are viewed.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in messenger activity logs
- Multiple failed message submissions with script-like content
- Suspicious user agent strings in messenger requests
Network Indicators:
- HTTP requests containing script tags or JavaScript in message parameters
- Unusual outbound connections from REDCap server after message views
SIEM Query:
source="redcap_logs" AND (message="*<script>*" OR message="*javascript:*")