CVE-2025-23110
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in REDCap 14.9.6 allows attackers to inject malicious scripts via CSV files containing alert configurations. When victims upload these files and click on email-subject values, the payload executes in their browser context. This affects REDCap users who process CSV alert configuration uploads.
💻 Affected Systems
- REDCap
📦 What is this software?
Redcap by Vanderbilt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as the victim user, redirect to malicious sites, or install malware through the victim's browser.
Likely Case
Session hijacking leading to unauthorized access to REDCap data, potential data theft, or privilege escalation within the application.
If Mitigated
Limited impact with proper input validation and output encoding, potentially just script execution without data compromise.
🎯 Exploit Status
Exploitation requires victim to upload attacker-provided CSV file and click on specific field, making it moderately difficult but technically simple.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check REDCap vendor for security updates. Upgrade to patched version when available. Apply input validation and output encoding fixes.
🔧 Temporary Workarounds
Input Validation for CSV Uploads
allImplement server-side validation to sanitize email-subject fields in CSV files before processing.
Output Encoding
allApply proper HTML encoding to email-subject values when displayed in web interface.
🧯 If You Can't Patch
- Restrict CSV upload functionality to trusted users only
- Implement web application firewall (WAF) rules to detect and block XSS payloads in CSV uploads
🔍 How to Verify
Check if Vulnerable:
Test by uploading CSV with alert configurations containing XSS payload in email-subject field and checking if script executes when field is clicked.Check Version:
Check REDCap version in application interface or configuration files.Verify Fix Applied:
Verify that XSS payloads in email-subject fields are properly sanitized and do not execute when clicked.📡 Detection & Monitoring
Log Indicators:
- CSV file uploads with suspicious content in email-subject fields
- Unusual file upload patterns
Network Indicators:
- CSV file downloads from untrusted sources followed by uploads to REDCap
SIEM Query:
Search for file upload events to REDCap with CSV extensions containing script tags or JavaScript in content.